Apple Security Advisory 2022-12-13-4 - macOS Ventura 13.1 addresses bypass, code execution, out of bounds access, out of bounds write, spoofing, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2022-12-13-4 macOS Ventura 13.1

macOS Ventura 13.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213532.

Accounts  
Available for: macOS Ventura  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved data protection.  
CVE-2022-42843: Mickey Jin (@patch1t)

AMD  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-42847: ABC Research s.r.o.

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by enabling hardened runtime.  
CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRing

Bluetooth  
Available for: macOS Ventura  
Impact: An app may be able to disclose kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42854: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte.  
Ltd. (@starlabs_sg)

Boot Camp  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file  
system  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2022-42853: Mickey Jin (@patch1t) of Trend Micro

CoreServices  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: Multiple issues were addressed by removing the  
vulnerable code.  
CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) of  
Offensive Security

DriverKit  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-32942: Linus Henze of Pinauten GmbH (pinauten.de)

ImageIO  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted file may lead to arbitrary  
code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46693: Mickey Jin (@patch1t)

IOHIDFamily  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with improved state  
handling.  
CVE-2022-42864: Tommy Muir (@Muirey03)

IOMobileFrameBuffer  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2022-46690: John Aakerblom (@jaakerblom)

IOMobileFrameBuffer  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: An out-of-bounds access issue was addressed with  
improved bounds checking.  
CVE-2022-46697: John Aakerblom (@jaakerblom) and Antonio Zekic  
(@antoniozekic)

iTunes Store  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: An issue existed in the parsing of URLs. This issue was  
addressed with improved input validation.  
CVE-2022-42837: Weijia Dai (@dwj1210) of Momo Security

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A race condition was addressed with additional  
validation.  
CVE-2022-46689: Ian Beer of Google Project Zero

Kernel  
Available for: macOS Ventura  
Impact: Connecting to a malicious NFS server may lead to arbitrary  
code execution with kernel privileges  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-46701: Felix Poulin-Belanger

Kernel  
Available for: macOS Ventura  
Impact: A remote user may be able to cause kernel code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to break out of its sandbox  
Description: This issue was addressed with improved checks.  
CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-Year  
Lab

Kernel  
Available for: macOS Ventura  
Impact: An app with root privileges may be able to execute arbitrary  
code with kernel privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42845: Adam Doupé of ASU SEFCOM

Photos  
Available for: macOS Ventura  
Impact: Shake-to-undo may allow a deleted photo to be re-surfaced  
without authentication  
Description: The issue was addressed with improved bounds checks.  
CVE-2022-32943: an anonymous researcher

ppp  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42840: an anonymous researcher

Preferences  
Available for: macOS Ventura  
Impact: An app may be able to use arbitrary entitlements  
Description: A logic issue was addressed with improved state  
management.  
CVE-2022-42855: Ivan Fratric of Google Project Zero

Printing  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed by removing the vulnerable  
code.  
CVE-2022-42862: Mickey Jin (@patch1t)

Ruby  
Available for: macOS Ventura  
Impact: A remote user may be able to cause unexpected app termination  
or arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2022-24836  
CVE-2022-29181

Safari  
Available for: macOS Ventura  
Impact: Visiting a website that frames malicious content may lead to  
UI spoofing  
Description: A spoofing issue existed in the handling of URLs. This  
issue was addressed with improved input validation.  
CVE-2022-46695: KirtiKumar Anandrao Ramchandani

Weather  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: The issue was addressed with improved handling of  
caches.  
CVE-2022-42866: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 245521  
CVE-2022-42867: Maddie Stone of Google Project Zero

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory consumption issue was addressed with improved  
memory handling.  
WebKit Bugzilla: 245466  
CVE-2022-46691: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may bypass Same  
Origin Policy  
Description: A logic issue was addressed with improved state  
management.  
WebKit Bugzilla: 246783  
CVE-2022-46692: KirtiKumar Anandrao Ramchandani

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may result in the  
disclosure of process memory  
Description: The issue was addressed with improved memory handling.  
CVE-2022-42852: hazbinhotel working with Trend Micro Zero Day  
Initiative

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
input validation.  
WebKit Bugzilla: 246942  
CVE-2022-46696: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 247562  
CVE-2022-46700: Samuel Groß of Google V8 Security

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may disclose  
sensitive user information  
Description: A logic issue was addressed with improved checks.  
CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs  
& DNSLab, Korea Univ.

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution  
Description: A memory corruption issue was addressed with improved  
state management.  
WebKit Bugzilla: 247420  
CVE-2022-46699: Samuel Groß of Google V8 Security  
WebKit Bugzilla: 244622  
CVE-2022-42863: an anonymous researcher

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited against versions of iOS released  
before iOS 15.1.  
Description: A type confusion issue was addressed with improved state  
handling.  
WebKit Bugzilla: 248266  
CVE-2022-42856: Clément Lecigne of Google's Threat Analysis Group

xar  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted package may lead to  
arbitrary code execution  
Description: A type confusion issue was addressed with improved  
checks.  
CVE-2022-42841: Thijs Alkemade (@xnyhps) of Computest Sector 7

Additional recognition

Kernel  
We would like to acknowledge Zweig of Kunlun Lab for their  
assistance.

Lock Screen  
We would like to acknowledge Kevin Mann for their assistance.

Safari Extensions  
We would like to acknowledge Oliver Dunk and Christian R. of  
1Password for their assistance.

WebKit  
We would like to acknowledge an anonymous researcher and scarlet for  
their assistance.

macOS Ventura 13.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYAACgkQ4RjMIDke  
Nxk1zRAAuqDsK19ODzl+oIO6xYMDcbiQV/ibvU9uwLtwTR8Y2wLga9V/vaaPTS6z  
qRkTivKEfdLMVW8Xlzl1jb+BMS0+dIjYrPAFatU8A5H2A3MLY5Trl9tTs+D8BgQJ  
reLRAyR6qJVwu+VMMjgrUxkQliPNYeumrmLwmKJdByYPzv4GLY5bOIf6siUAIJdB  
vs2zzcq6+BnoJkS1iYa+Ub5S3bSryR2i8vrSit6PcYBtLKHxUJaK2YBdA8LoqB4J  
wenkEaEhyilm0bpyyF0VxDuvOcotqrGa2ikScrik/N/NueMqDi9duo9kKKVia0xa  
Gx2cYLNDG10KBmz9w9B8YC6lNa6t7M5zmCYn8TmXTfndd7fCYbYajZNT0WxIYteK  
sXYPkVpqEd4KVZxtQ3MfHlx5y4FwnqBkLACnfsNCs4KatbJPEg9Qy9Mn2ymi/9He  
UoVt3XnQVhAgGIRV2qezjV9r0rtgnWpSKvFd9LSDcB9F6b/bzRipbxVnqdWCL1If  
ymeeEY8BJ7WJnFqgXzRo42+4bp4R67iNH+Z/JjUy/Z7C3f2O66fFZu2pNL1vLILA  
Wi/dprF13SjqCIavwWPbVL8UvfaAwBz53y38gwei6eSdsEO383r0XIIKjErGbWm6  
hqHq/QKTWHQZqUFj4kUb4Ajw8Qe0j0qSrCLt4Wl11u/0r5hTRyI=  
=C5EK  
-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-4

Apple Security Advisory 2022-12-13-3 - iOS 16.1.2 addresses a code execution vulnerability.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-3 iOS 16.1.2iOS 16.1.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213516.WebKitAvailable for: iPhone 8 and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited against versions of iOS releasedbefore iOS 15.1.Description: A type confusion issue was addressed with improved statehandling.WebKit Bugzilla: 248266CVE-2022-42856: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.1.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYEACgkQ4RjMIDkeNxll4hAAolqnH+W3gE3w2Xri3wUchwkj6WPhfWcwwc+l0cxUxiDqzhGSkW4kNTVIeCjENaJ4WfsK7COfxx8qnmQtcqV8P406XtDomeE96Rm/euCEzkSpVPSs4S8+YwvOqRNWVbWmWQ1gKFSqkuZb2Y5IAnA+KI3Fw1M1iq8Cbs/bkUVjNfrIrrPgl19BercEOjsjq+BQS15dIq84GUiSv/KTU31NKMeSQLB8O9+u91tuBex2b+1mdwb15K1R17OIe/exVA2qnQFctfhWu2uh2izckATylQjtvQHMr0pAwdEoLyRl1xXrW62DeVwWBsn0bxUhjSfS/clmXyN/hL1ocgUrHrI9yAVST5oug/LqR8RjTkgTBcGF9C0YMXaexvA0y2AhF70pl67UESleBSRddayFAW2lZkV/YdJosxGLsRviy8jdiiQ4VJ5xI9TAECbUGgF2qHVSz4gnlyyDUfUqHUmjLej48qCMbadY4IQQmvW30yiCW+shHfaLzCBYZ2cLhUCD7IqU7C1+KE+bJ1Y/k7EXOkLWhZ9go7kKUF6OfpVd6OPIYd4R38eghUXU4ZviQwYQlkXm1Q+DZrwaOvMf0kMkCA/10ktuzhKSpiCI/47BqcE8VYi0CCbOUaSZSPi6P0jlpuIsxCd1UKkGaTsfdJIyeNY1VPHkiOl2BYpIelCqqhOiNHc==wMpD-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-3

Apple Security Advisory 2022-12-13-2 - iOS 15.7.2 and iPadOS 15.7.2 addresses bypass, code execution, integer overflow, out of bounds write, and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-2 iOS 15.7.2 and iPadOS 15.7.2iOS 15.7.2 and iPadOS 15.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213531.AppleAVDAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Parsing a maliciously crafted video file may lead to kernelcode executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46694: Andrey Labunets and Nikita TarakanovAVEVideoEncoderAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A logic issue was addressed with improved checks.CVE-2022-42848: ABC Research s.r.oFile SystemAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-YearLabGraphics DriverAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Parsing a maliciously crafted video file may lead tounexpected system terminationDescription: The issue was addressed with improved memory handling.CVE-2022-42846: Willy R. Vasquez of The University of Texas at AustinIOHIDFamilyAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with improved statehandling.CVE-2022-42864: Tommy Muir (@Muirey03)iTunes StoreAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An issue existed in the parsing of URLs. This issue wasaddressed with improved input validation.CVE-2022-42837: Weijia Dai (@dwj1210) of Momo SecurityKernelAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with additionalvalidation.CVE-2022-46689: Ian Beer of Google Project Zerolibxml2Available for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An integer overflow was addressed through improved inputvalidation.CVE-2022-40303: Maddie Stone of Google Project Zerolibxml2Available for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: This issue was addressed with improved checks.CVE-2022-40304: Ned Williamson and Nathan Wachholz of Google ProjectZeropppAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42840: an anonymous researcherPreferencesAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: An app may be able to use arbitrary entitlementsDescription: A logic issue was addressed with improved statemanagement.CVE-2022-42855: Ivan Fratric of Google Project ZeroSafariAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Visiting a website that frames malicious content may lead toUI spoofingDescription: A spoofing issue existed in the handling of URLs. Thisissue was addressed with improved input validation.CVE-2022-46695: KirtiKumar Anandrao RamchandaniWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory consumption issue was addressed with improvedmemory handling.WebKit Bugzilla: 245466CVE-2022-46691: an anonymous researcherWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may result in thedisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-42852: hazbinhotel working with Trend Micro Zero DayInitiativeWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may bypass SameOrigin PolicyDescription: A logic issue was addressed with improved statemanagement.WebKit Bugzilla: 246783CVE-2022-46692: KirtiKumar Anandrao RamchandaniWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedinput validation.WebKit Bugzilla: 247562CVE-2022-46700: Samuel Groß of Google V8 SecurityWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Pro (all models), iPad Air 2 and later,iPad 5th generation and later, iPad mini 4 and later, and iPod touch(7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited against versions of iOS releasedbefore iOS 15.1.Description: A type confusion issue was addressed with improved statehandling.WebKit Bugzilla: 248266CVE-2022-42856: Clément Lecigne of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.2 and iPadOS 15.7.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYIACgkQ4RjMIDkeNxn07xAA2gJjgY+Ql7WKtXSxsU4snP+8d2zDgD5hKkZVETJrKG1TGwAKK/YdW0Ug8nmj/DIU+RRsU8KpGLiN4TGsHVot1GaDwwMQ/HCUG4bHFjknc0TqrTkUCfG6rnkhbFouinoNfyPf7gcmLkQg2AhrNjA/a9QJzfmX2XKtGybIN1kFDd8eMKb/setgVQUS12h4N6YBI4WjSGvyZ8vagqpMRAz0An4lSEoa21CN1ViM0E4wBWIyU8Ux05fN+Lvn2gefdjyGV5IP63z3kYe4D/Vt6yatBo1n7ERM9If7IMGO5O8DJqrynTZ3q1kCsxcRQheJHkPZDF/8ogjAdNiOzqybSzhhcNk0uteTSXX1tYGvRos7GyDSTG6/KjuFvB60Wohwzr16o6VkcZyaU41cA9dWKrv3+RRTm7UR2/CKGngrjcnm4jAotR+pjtQU444vECGQVTx/qat7Eu+IFe2llm8JcjBHjx1R6Rbb8sqmzD4lVDja/aZ2491vsVdOytq+cZ59nZqwbG7vo8mBow+zEcoKsh8pAGRYoLW3WU1MetNt04V9d+7Fv7wG/+BNkzHNqOhOa7+4SwD8wvApxdF2+hZgSD26owwkbfG4hnf71w4DSDPpwRC/CoRvhDMZToSlsPLIWP29jIII09N8TNW3PVlIAjquv7oxir7BohtGu5ioSmgI3fQ==wLMf-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-2

Apple Security Advisory 2022-12-13-1 - iOS 16.2 and iPadOS 16.2 addresses bypass, code execution, out of bounds write, spoofing, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2022-12-13-1 iOS 16.2 and iPadOS 16.2iOS 16.2 and iPadOS 16.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213530.AccountsAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A user may be able to view sensitive user informationDescription: This issue was addressed with improved data protection.CVE-2022-42843: Mickey Jin (@patch1t)AppleAVDAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Parsing a maliciously crafted video file may lead to kernelcode executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46694: Andrey Labunets and Nikita TarakanovAppleMobileFileIntegrityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: This issue was addressed by enabling hardened runtime.CVE-2022-42865: Wojciech Reguła (@_r3ggi) of SecuRingAVEVideoEncoderAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A logic issue was addressed with improved checks.CVE-2022-42848: ABC Research s.r.oCoreServicesAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: Multiple issues were addressed by removing thevulnerable code.CVE-2022-42859: Mickey Jin (@patch1t), Csaba Fitzl (@theevilbit) ofOffensive SecurityGPU DriversAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to disclose kernel memoryDescription: The issue was addressed with improved memory handling.CVE-2022-46702: Xia0o0o0o of W4terDr0p, Sun Yat-sen UniversityGraphics DriverAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42850: Willy R. Vasquez of The University of Texas at AustinGraphics DriverAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Parsing a maliciously crafted video file may lead tounexpected system terminationDescription: The issue was addressed with improved memory handling.CVE-2022-42846: Willy R. Vasquez of The University of Texas at AustinImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing a maliciously crafted file may lead to arbitrarycode executionDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46693: Mickey Jin (@patch1t)ImageIOAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Parsing a maliciously crafted TIFF file may lead todisclosure of user informationDescription: The issue was addressed with improved memory handling.CVE-2022-42851: Mickey Jin (@patch1t)IOHIDFamilyAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with improved statehandling.CVE-2022-42864: Tommy Muir (@Muirey03)IOMobileFrameBufferAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2022-46690: John Aakerblom (@jaakerblom)iTunes StoreAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause unexpected app terminationor arbitrary code executionDescription: An issue existed in the parsing of URLs. This issue wasaddressed with improved input validation.CVE-2022-42837: Weijia Dai (@dwj1210) of Momo SecurityKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: A race condition was addressed with additionalvalidation.CVE-2022-46689: Ian Beer of Google Project ZeroKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Connecting to a malicious NFS server may lead to arbitrarycode execution with kernel privilegesDescription: The issue was addressed with improved bounds checks.CVE-2022-46701: Felix Poulin-BelangerKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A remote user may be able to cause kernel code executionDescription: The issue was addressed with improved memory handling.CVE-2022-42842: pattern-f (@pattern_F_) of Ant Security Light-YearLabKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: This issue was addressed with improved checks.CVE-2022-42861: pattern-f (@pattern_F_) of Ant Security Light-YearLabKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2022-42844: pattern-f (@pattern_F_) of Ant Security Light-YearLabKernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app with root privileges may be able to execute arbitrarycode with kernel privilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42845: Adam Doupé of ASU SEFCOMPhotosAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Shake-to-undo may allow a deleted photo to be re-surfacedwithout authenticationDescription: The issue was addressed with improved bounds checks.CVE-2022-32943: an anonymous researcherpppAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivilegesDescription: The issue was addressed with improved memory handling.CVE-2022-42840: an anonymous researcherPreferencesAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to use arbitrary entitlementsDescription: A logic issue was addressed with improved statemanagement.CVE-2022-42855: Ivan Fratric of Google Project ZeroPrintingAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to bypass Privacy preferencesDescription: This issue was addressed by removing the vulnerablecode.CVE-2022-42862: Mickey Jin (@patch1t)SafariAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Visiting a website that frames malicious content may lead toUI spoofingDescription: A spoofing issue existed in the handling of URLs. Thisissue was addressed with improved input validation.CVE-2022-46695: KirtiKumar Anandrao RamchandaniSoftware UpdateAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: A user may be able to elevate privilegesDescription: An access issue existed with privileged API calls. Thisissue was addressed with additional restrictions.CVE-2022-42849: Mickey Jin (@patch1t)WeatherAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: The issue was addressed with improved handling ofcaches.CVE-2022-42866: an anonymous researcherWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 245521CVE-2022-42867: Maddie Stone of Google Project ZeroWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory consumption issue was addressed with improvedmemory handling.WebKit Bugzilla: 245466CVE-2022-46691: an anonymous researcherWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may bypass SameOrigin PolicyDescription: A logic issue was addressed with improved statemanagement.WebKit Bugzilla: 246783CVE-2022-46692: KirtiKumar Anandrao RamchandaniWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may result in thedisclosure of process memoryDescription: The issue was addressed with improved memory handling.CVE-2022-42852: hazbinhotel working with Trend Micro Zero DayInitiativeWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedinput validation.WebKit Bugzilla: 246942CVE-2022-46696: Samuel Groß of Google V8 SecurityWebKit Bugzilla: 247562CVE-2022-46700: Samuel Groß of Google V8 SecurityWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may disclosesensitive user informationDescription: A logic issue was addressed with improved checks.CVE-2022-46698: Dohyun Lee (@l33d0hyun) of SSD Secure Disclosure Labs& DNSLab, Korea Univ.WebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code executionDescription: A memory corruption issue was addressed with improvedstate management.WebKit Bugzilla: 247420CVE-2022-46699: Samuel Groß of Google V8 SecurityWebKit Bugzilla: 244622CVE-2022-42863: an anonymous researcherAdditional recognitionKernelWe would like to acknowledge Zweig of Kunlun Lab and pattern-f(@pattern_F_) of Ant Security Light-Year Lab for their assistance.Safari ExtensionsWe would like to acknowledge Oliver Dunk and Christian R. of1Password for their assistance.WebKitWe would like to acknowledge an anonymous researcher and scarlet fortheir assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.2 and iPadOS 16.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmOZFYIACgkQ4RjMIDkeNxmnGxAAuO8CwNDPYn+yyq7VIRB6+sCaV962MC2c7TFzU+R1waBBaG57NmJQeANL5645QVNL/5k0TaFiSV/dFg15YvBkLgC6JVHeKebYvboSHB0wsfxejfwYnYFLNc44xriqdQSarmp61Aw4270LFRjV1XokOGuEzo4U3InyhiawceAVR/qvteNDxETnsiANjyaPRnx1d2K22+VZAFRtVjLgFLkBwAguamuMe8vIaqP71giORZNfX+w+GduszAqYSpo5aPC8G56GmHGZnSid/utBa2CqXfVRMyUmnYYukPrYACdy4WkTKWOWCbPrCbkTVWc43jsWhPqsMFopyy4K+SaCZqNdcpIag8n5uvCsf0tLPIUPTMRXSj3w1WOq1++6NV3cZp6RaFVYJ3twU2D1q/Vj8VXILNPvECzGNlOxRJu0H7w3VD5ZdZ16Gsc8T62CER5CSJr49fj5ixLCP9HepmIK5Rz0UXMxmylUANk2h88HK9hr7/s1EOYtCVjTEYQ2c1ESd87HYz24iYnqaL5d8KDFiGQCVfuwnz2keWO7Lc2E+8OUqqYTWfCoSWprWnSUZR31xA+JnPSS4WBP4RzitUmAiP5sdulF0jg4IZ0y0RUwWI4lD4vv0z9glb++rRHhPJj9uuirFcmKJ1BSfEN1glq/gGW8SP1vuq1BU+fIdeHtw4XeeIw==qV7H-----END PGP SIGNATURE-----

Apple Security Advisory 2022-12-13-1

Organizations can start by integrating functions like detection, prioritization, and remediation on to a single platform.

Cloud transformation often occurs simultaneously across siloed organizational units and groups, each potentially using a different cloud for their applications and workloads. However, taking inventory of all their cloud resources and building a compliant, secure, simple, and unified strategy has become a common challenge.

It wouldn’t be surprising to see an organization with most of its workloads in AWS using Microsoft 365 and Azure Active Directory while also heavily using Google Cloud GKE and Big Query. On top of that, Oracle Cloud may also be in the mix with some autonomous database offerings. As cloud adoption matures in an organization, and as smaller cloud providers gain traction, the mix of services and cloud platforms becomes incredibly diverse and complex. In light of these challenges, organizations must still find ways to govern and secure their entire cloud infrastructure.

The answer? A framework that works across all clouds to unify detection, prioritization, and remediation of the most impactful risks facing the organization.

****Identities and Authentication Keys****

Diving into a use case around cloud identity authentication keys for access, let’s see how you can protect your organization’s crown jewels in your multicloud environment. In the cloud world, identity is perhaps the most critical cloud object to govern, monitor, detect, and remediate. Compromising a cloud identity has the largest blast radius since, frankly, the public cloud is just a bunch of public APIs that respond to authenticated requests.

Authentication keys are cryptographic entities attached to an identity that allow you to issue authenticated API requests from the Internet. Hence, these keys call for the undivided attention of any governance and security strategy. However, each cloud provider defines identity in a different way, with a completely new set of capabilities and risks.

    

The idea here is to think of an organization that wants to enforce the following policy: “Authentication keys should be rotated every 90 days, and every 30 days if they enable personally identifying information access.” This seemingly simple policy would need to take four different implementations, depending on which cloud it’s using. Additionally, the security admin would need to tailor specific policies, such as limiting the number of concurrent keys (not relevant to AWS) or enforcing expiration dates upon key creation (not relevant for secrets).

The same concept applies when an organization tries to enforce “do not allow public access to storage objects” or “only build workloads from images that are up to date.”

****Building, Securing, and Governing the Cloud****

While each cloud is unique, foundationally, they are not so different. They all have a concept of a computer instance, object and file storage, and both human and nonhuman identities, each of which can be assigned permissions. As a result, the multicloud infrastructure calls for unification between building, securing, and governing the cloud.

When building cloud deployments, organizations rely on infrastructure as code (IaC) languages like HashiCorp’s Terraform to create a unified approach to address cloud objects. Think of IaC as a higher-level language over the lower-level cloud-specific API calls.

The parallel higher-level language for securing and governing the cloud is the cloud-native application protection platform (CNAPP). CNAPP converges tools like cloud security posture management, cloud infrastructure entitlement management, cloud workload protection platform, configuration management database, and others, providing complete security for your cloud, spanning the cloud development lifecycle from build time to run time. CNAPP provides a single pane of glass for all your cloud environments.

These solutions provide a complete inventory of your cloud assets, as well as visibility into potential security gaps and risks, correlating across a broad range of signals including misconfigurations, vulnerabilities, Internet exposure, excessive permissions, and more.

Through a CNAPP, teams can enable unified detection, investigation, and enforcement of common cloud objects, as well as pitfalls such as exposed storage, unpatched compute instances, and more. Ideally, a single UI workflow allows you to enforce multicloud organization policies such as “block public access for cloud storage” or “isolate compute instances that accept traffic from the Internet and expose a service with critical vulnerabilities.”

Here are additional best practices and recommendations for securing your cloud footprint:

*   Decide whether to measure against a security framework like NIST or CIS, or your own internally developed policies. Implement these policies across the development lifecycle, with explicit definition of where to enforce action-blocking guardrails. A CNAPP can help you accomplish this.
*   Ensure your security team is diversified in terms of multicloud knowledge, e.g., AWS, Azure, and GCP.
*   Implement identity best practices, such as single sign-on and multifactor authentication, via your organization’s existing IAM provider, whenever possible. Avoid the use of cloud-specific local identities to access the cloud from the Internet.
*   Define the unified view as a prerequisite for procurement of cloud security tools. Ideally, choose tools that enable a unified approach of enforcing organizational policies across clouds.

Cloud transformation has become a vital initiative for many organizations. As you go through the cloud transformation journey, remember that your approach to security (and the tools you use) must transform as well. Whether you’re unifying siloed tools, security and DevOps teams, different cloud vendors, management, or policies and languages, bringing tools together and enforcing commonalities will benefit your organization in the long run.

Read more _Partner Perspectives_ from Zscaler.

Best Practices for Securing and Governing Your Multicloud Deployment

By Deeba Ahmed
Researchers believe that GodFather could be a successor of another banking trojan called Anubis, which had its source code leaked in January 2019 on an underground hacking forum.
This is a post from HackRead.com Read the original post: “GodFather” Hits Banks, Crypto Wallets Apps as Android Trojan Emerges

GodFather is a new Android banking trojan that is currently targeting unsuspecting users of over 400 banking, crypto wallet, and exchange apps worldwide.

The cyber security researchers at Group-IB have shared details of a dangerous mobile banking trojan targeting banking apps, crypto exchanges, and cryptocurrency wallets since at least June 2021.

**What is GodFather?**

Dubbed “GodFather” by Group-IB, this malware has targeted users of over 400 cryptocurrency and banking apps across 16 nations. Group-IB detected the Trojan in June 2021, while the information was disclosed publicly by ThreatFabric in March 2022.

Researchers believe that GodFather could be a successor of another **banking trojan called Anubis**, which had its source code leaked in January 2019 on an underground hacking forum.

**How Is it Delivered?**

The malware is delivered to different threat actors via malware-as-a-service platforms and is hidden inside apps available on Google Play. These apps appear legitimate; however, in reality, they contain a payload made to look as if it is secured through **Google Protect**.

When a victim interacts with a fake notification or attempts to open one of these apps, the malware displays a fake web overlay that starts stealing usernames and passwords, along with SMS-based 2FA codes.

**What are GodFather Capabilities?**

The malware steals user credentials by creating fake, yet overlay screens or web fakes through the targeted apps. Due to its **backdoor capabilities**, GodFather can abuse Android systems’ Accessibility APIs, log keystrokes, record videos, steal call logs and SMS, and capture screenshots.

Further, it can also launch keyloggers and track the device screen to get its desired information. It is unusual because it retrieves its C&C server address by decrypting a Telegram channel description, controlled by the threat actor and encoded through the popular cipher called **Blowfish**.

**Who are the Targets?**

According to Group-IB’s **report**, in the latest attack spree, around 215 banks, 110 crypto exchanges, and 94 crypto wallet providers have been targeted by the GodFather operators. The prime targets of the GodFather trojan include the following countries:

1.  Italy
2.  Spain
3.  Turkey
4.  France
5.  Canada
6.  Germany
7.  United States
8.  United Kingdom

It is worth noting that the malware did not target post-Soviet countries, which indicates that the attackers could be **Russian**.

> “If the potential victim’s system preferences include one of the languages in that region, the Trojan shuts down. This could suggest that GodFather’s developers are Russian speakers.”
> 
> Artem Grischenko – Group-IB

1.  **Android malware TeaBot stealing data, intercepting SMS**
2.  **BRATA Android malware steals funds, factory resets phones**
3.  **Russian Android Malware Tracks GPS Location, Spies on Victims**
4.  **TangleBot Android malware hijacks phones, steals login credentials**

“GodFather” Hits Banks, Crypto Wallets Apps as Android Trojan Emerges

Trend Micro will be joining Google's App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store.

Google has announced Trend Micro will be joining their App Defense Alliance (ADA) to help improve their ability to identify malicious apps before they are published to the Google Play store. Trend Micro will be pre-scanning apps utilizing our Mobile App Reputation Service (MARS). We’re proud to be asked to support this alliance and join the other members who are part of this program which supports Trend Micro’s mission to make the World safe for exchanging digital information.

MARS, was initially developed and launched in 2012. protects our mobile customers by supporting a reputation service that checks any apps on their mobile devices. This uses a process whereby a query is sent by the customer to MARS, which then responds with a detection of whether the app is good, bad, or unknown. If unknown, we utilize threat intelligence to quickly make a determination. MARS received over 47 billion queries in 2021, resulting in 37 million malicious app detections. As of September 2022, MARS has received over 36 billion queries and made 27 million detections.

Trend Micro mobile researchers are regularly publishing articles and reports on mobile threats to help people better understand what this threat landscape looks like. Trend Micro will continue to invest in our research and development both in human capital and technology like artificial intelligence and machine learning to improve the mobile ecosystem. As one of the largest pure cybersecurity vendors in the world, this investment and focus allow us to protect both our partners like Google and our customers from cyber threats targeting them.

As more and more consumers rely on their mobile devices and the apps installed for everyday work and play, this partnership will ensure they are protected from malicious actors around the world. Trend Micro looks forward to a long partnership with Google.

Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

Subscribe

Trend Micro Joins Google’s App Defense Alliance

The malware has resurfaced, using an icon and name similar to the legitimate Google Play app MYT Music, a popular app with more than 10 million downloads.

A type of Android malware that's been targeting banking users worldwide since March has resurfaced with advanced obfuscation methods, masquerading as a legitimate application on the Google Play store with more than 10 million downloads, researchers have found.

Godfather is a banking Trojan that is best known for targeting banking users in European countries, but its latest activity shows an increased sophistication in its ability to fly under the radar of common malware-detection methods, researchers from Cyble Research & Intelligence Labs (CRIL) said in a blog post on Dec. 20.

Once it's successfully installed on a victim's device, Godfather initiates a series of typical banking Trojan behaviors, including stealing banking and crypto-exchange credentials, the researchers said. But it also steals sensitive data such as SMSs, basic device details — including data from installed applications — and the device's phone number, and it can perform a number of nefarious actions silently in the background.

"Apart from these, it can also control the device screen using VNC \[virtual network computing\], forwarding incoming calls of the victim's device and injecting banking URLs," the Cyble researchers wrote.

The latest sample of Godfather that researchers discovered was encrypted using custom encryption techniques that could evade detection by common antivirus products — a new tactic of the threat actors behind the malware, the researchers said.

**Targeting Businesses & Consumers**

Upon further examination, the researchers found that the malware was using an icon and name similar to the legitimate Google Play app MYT Music, which already has logged more than 10 million downloads. Indeed, threat actors often hide malware on Google Play, despite Google's best efforts in the last several years to keep bad apps off its store before users are affected by it.

MYT Music was written in the Turkish language and thus researchers assume the Godfather sample they discovered is targeting Android users in Turkey. However, they suspect other versions of the malware continue to be active and targeting banking users worldwide.

Though banking Trojans tend to affect consumers more than the enterprise, business users are still at risk because they use their mobile devices at work and may even have business apps and data stored on their devices. For this reason, enterprise users should be especially wary of downloading apps from the Internet or opening any links received via SMS or emails delivered to a mobile phone, the researchers said.

Google Play has removed the app, but those with it installed are still at risk.

**How Godfather Pulls Victims' Strings**

Once it's installed on an Android device, Godfather requests 23 different permissions from the device, abusing a number of them to gain access to a user's contacts and the state of the device, as well as information related to the user account. It also can write or delete files in external storage and disable the keylock and any associated password security, the Cyble researchers said.

Godfather can successfully do money transfers from a hacked device through its ability to initiate phone calls through Unstructured Supplementary Service Data (USSD) that don't require use of the dialer user interface, and thus don't need the user to confirm the call, they said.

The malware also extracts sensitive user data from the device — including application key logs — that can be sent back to a command-and-control (C2) server, which also sends Godfather a command that forwards any incoming calls the victim receives to a number provided by the threat actor, the researchers said.

Godfather then harvests credentials: It creates an overlay window in the OnAccessibilityEvent method and injects HTML phishing pages via a separate command from C2, the server URL of which is from a Telegram channel, hxxps://t\[.\]me/varezotukomirza, the researchers said.

Once it completes its malicious activity, Godfather receives a "killbot" command from C2 to self-terminate, they added.

**Avoiding Being Whacked by Godfather**

The most common way to avoid downloading mobile app malware is to download and install software only from official app stores such as Google Play or Apple, the conventional wisdom goes.

However, as this instance proves, malware can lurk in official app stores too, so "practicing basic cyber-hygiene across mobile devices and online banking applications effectively prevents such malware from compromising your devices," the researchers noted in the post, including using a reputable antivirus and Internet security software package on connected devices to ensure anything downloaded is free from malware.

Also, advanced anti-detection methods like the ones the threat actors behind Godfather are using can make even downloading what look like legitimate apps tricky, they said. To further protect themselves, users can utilize strong passwords and enforce multifactor authentication on devices wherever possible, making it more difficult for threat actors to crack into their accounts. 

Android device users also should ensure that Google Play Protect is enabled on their devices for further security protection, the Cyble researchers added.

All mobile device users also should enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device and using apps, where possible, and be especially careful when enabling permissions on devices, especially if an app has not been verified by a reputable provider, they added.

Godfather Banking Trojan Masquerades as Legitimate Google Play App

A new US State Department assessment highlights the stark economic toll of Tehran’s recent shutdowns and platform control.

As internet shutdowns, platform blocking, and content filtering become increasingly common levers for authoritarian control around the world, Iran has presented an especially dramatic case study on the economic impact and humanitarian toll of connectivity blackouts. 

In response to mass government opposition and protests, the Iranian regime launched an extensive shutdown in September that drastically limited all digital communication in the country. And Tehran has ongoing campaigns to slow connectivity and access to popular services, including Meta's Instagram. Dragging out the disruptions, though, is beginning to reveal the true economic toll of the brutal technique, according to new assessments by the US Department of State.

Iran is already a heavily sanctioned and isolated nation, yet the government has repeatedly imposed broad digital restrictions and shutdowns, including notable initiatives in 2017 and 2019. The cumulative impact of these crackdowns has affected the rights of more than 80 million people living in Iran and disrupted every aspect of Iranian society, including commerce.

“This is another instance, an important one, in which the officials show how they consistently pick their own self-interest over the public interest,” says Reza Ghazinouri, a strategic adviser for the San Francisco–based human rights and civil liberties group United for Iran. “In the past years, millions of Iranians have fallen below the poverty line, and further limiting access to platforms like Instagram just adds many more to that number. And this disproportionately impacts women. Sixty-four percent of Iranian businesses on Instagram are women-owned.”

From communicating with customers to processing transactions, businesses rely on digital platforms in different ways, but digital disruptions have an impact on businesses of all sizes. Multiple Iranian trade associations have said in recent weeks that their member companies are reporting major losses. And some reports have found that the recent outage affected hundreds of thousands of small businesses. 

“This censorship underscores the degree to which Iran’s leadership fears what is possible when its people can freely communicate with one another and the outside world,” Rob Malley, US special envoy for Iran, told WIRED in written remarks.

The protest movement in Iran has gained momentum since 22-year-old Mahsa Amini died in the custody of Iran's “morality police” while being held for allegedly breaking rules about wearing hijab. Since September, more than 18,000 people have been detained by Iranian law enforcement related to the demonstrations, and nearly 500 people, including nearly 60 children, have been killed at the protests as officials exert increasingly draconian force on demonstrators. 

Analysis of the recent shutdown by a consortium of digital rights groups, published at the end of November and cited by the State Department, showed that the Iranian government has been deploying an increasingly broad set of technical capabilities to make it more difficult for the population to circumvent digital restrictions. For example, the government has broadened its ability to block encrypted connections to defeat users' efforts to conceal their web browsing. Officials have also continued to expand their blocks on the Google Play Store, Apple's App Store, and browser extension stores, making it harder for Iranians to download circumvention tools. The findings also indicate that there is a cumulative impact and increasing effectiveness over time as the government stacks censorship, content filtering, and blocking with intermittent and large-scale outages.

It is difficult to gauge the exact economic impact of the digital blackouts and disentangle it from other factors like international sanctions. Based on the escalating internet shutdown tactics and tolerance for self-inflicted damage, though, the State Department believes that the Iranian regime feels more threatened by the recent protest movement than previous public waves of opposition. 

Earlier this month, in a high-profile concession to protesters, the Iranian government said it had shut down the “morality police” that enforced restrictive laws, particularly a rigid Islamic dress code for women. The laws are still in place, though, and it is unclear how much the move will actually impact enforcement in practice.

A State Department spokesperson told WIRED in a statement that the White House is “committed to helping the Iranian people exercise their universal right to freedom of expression and to freely access information via the internet.”

Iran’s Internet Blackouts Are Sabotaging Its Own Economy

By Habiba Rashid
On Telegram, Killnet hackers have leaked a text file showing the login credentials of 10,000 individuals whom they claim are FBI agents.
This is a post from HackRead.com Read the original post: Russian Killnet Hackers Claim Data Theft of FBI Agents

The hacker group also claimed to have breached the security of the US Federal Motor Carrier Safety Administration (FMCSA).

The Russian hacker group, KillNet, claims to have infiltrated the FBI’s database, allegedly stealing the personal information of more than 10,000 US federal agents. Like most of their attacks, this alleged attack also appears to have political undertones motivating the pro-Kremlin group. 

It is worth mentioning that, just last week, the FBI’s security platform **InfraGard suffered a data breach** in which the personal data of its 87,000 members was stolen and leaked online.

Although Killnet’s attack remains unverified, KillNet hackers claim that the stolen data includes social media passwords and bank details. The group posted screenshots on Telegram that showed passwords to online stores, medical ID cards, and Google, Apple, and Instagram accounts.

Alleged FBI agents’ data (1) Killnet hackers on Telegram (2) Image credit: Hackread.com

“All passwords from online stores to the mass acceptance card, Google, and Apple accounts are at our disposal,” read a statement attributed to the hackers on Russian Telegram channels.

As seen by Hackread.com, another screen recording showed the hackers using the Facebook account allegedly belonging to an employee of the Federal Motor Carrier Safety Administration (FMCSA). They show being in control of the account by posting “We are KillNet” on the person’s profile page.

Image credit: Hackread.com

KillNet hackers have been behind a number of operations targeting Western government institutions and private companies supporting Ukraine since the Russian invasion in February.

Last month, the group first hit **Prince William’s website** with DDoS attacks, and just days after that, the **European Parliament website** was targeted.

**In August**, Killnet claimed to have hacked Lockheed Martin and stolen employee data. **In June**, Lithuanian government websites were also hit by crippling DDoS attacks by the same group.

Nevertheless, since the Russo-Ukraine war began in February, Killnet has launched seventy-six attacks against countries supporting Ukraine.

1.  **Anonymous Declares War Against Pro-Russia Hacker Group Killnet**
2.  **DDoS App Meant to Hit Russia, Infected Phones of Ukrainian Activists**
3.  **Russia Hackers Abuse BRc4 Red Team Pentest Tool in Recent Attacks**

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

Tag

#google