Can cyber defenders use the presence of infostealers as a canary in the coal mine to preempt ransomware attacks?

Source: Jim West via Alamy Stock Photo

Nearly a third of companies that fell victim to ransomware last year had at least one infostealer infection in the months prior to their attack.

Cyberattacks, but particularly ransomware attacks, only work when they're a surprise. It's why ransom notes through history have almost always opened by simply stating the facts: "Your network has been penetrated," or "Oops, your files have been encrypted." Companies with any notion that an attack is about to come can easily rebuff it simply by backing up and encrypting their files. That's why it's so interesting that, as SpyCloud notes in its 2024 "Malware and Ransomware Defense Report," nearly a third of all ransomware events last year were foreshadowed by an infostealer infection in the 16 weeks prior.

Infostealers before ransomware is a useful combination for attackers. What's less clear is whether it could be useful for defenders, to help reduce attackers' surprise advantage.

**Ransomware's Canary?**

In a recent attack observed by Sophos, the Qilin ransomware gang breached its target via a VPN portal. It waited 18 days, then deployed a custom infostealer to grab credentials from Google Chrome. Only later did it drop any actual ransomware.

High-level groups like Qilin might have the capacity for turnkey jobs, but perhaps more common are cases where initial access brokers (IABs) partner with ransomware actors to split things up.

Stephen Robinson, senior threat intelligence analyst at WithSecure, was investigating such a case last year. The perpetrator was a Vietnamese malware-as-a-service (MaaS) operation, delivering payloads like the DarkGate remote access Trojan (RAT) against companies in digital marketing. "The thing with \[tools like\] DarkGate is that it's one of those pieces of malware that will do infostealing or credential stealing, but also a bunch of other functions like cryptocurrency theft, and delivering ransomware," Robinson explains. The Vietnamese threat actors didn't have to perform ransomware attacks themselves. Instead, IABs like them can plant DarkGate — or RedLine, Qakbot, or Raccoon — far and wide, then sell the access they afford to the next baddies down the line, allowing both sides of the exchange to specialize in what they do best.

In its 2024 "Crypto Crime Report," blockchain analysis firm Chainalysis discovered "a correlation between inflows to IAB wallets and an upsurge in ransomware payments." For example, the ransomware group depicted in the chart below spent thousands of dollars with multiple IABs in the course of its multimillion-dollar campaigns.

Source: Chainalysis

"It definitely seems, to me at least, that this is trending upward," says Trevor Hilligoss, vice president of SpyCloud Labs. "It makes sense if you think about it. Malware-as-a-service is easy, it's cheap. A couple hundred bucks a month gets you access to a pre-built package for attacks, and a lot of these stealers have been adding more functionality."

**Can Infostealers Be Used to Predict Ransomware?**

The literally million-dollar question is this: If 30% of ransomware attacks are preceded by infostealers, can the presence of an infostealer in one's network be used to predict oncoming ransomware, giving defenders a window of time to prepare?

"It really depends on who you are," Hilligoss says. When an infostealer pops up on your network, "If you are an admin of a large, multinational insurance group, I would be very concerned, and I would think that ransomware is probably not too far away. If you're \[an individual\] person or you're a small business, your alarm would go down proportionally." Chainalysis suggested the same, writing that "monitoring IABs could provide early warning signs and allow for potential intervention and mitigation of attacks."

Robinson takes the less optimistic view, arguing that the first steps in an attack chain tend to look quite similar, no matter the threat actor.

"The issue is that someone gets access, steals some credentials, or installs a remote monitoring management tool (RMM). From that first step, you can't now predict what's going to come next," he says. "We had one case where a network was compromised by five or six different groups. There was North Korea, some cryptocurrency miners, there was a ransomware group, there was an IAB. And you couldn't tell what the next step was going to be for each one of them until they took it, because those first steps were all the same. And that's the thing with infostealers."

Either way, Hilligoss advises, "If you see this happens, then rapidly remediate. Find the exposure, figure out all of the data that was stolen from your network, go through it, and reset those credentials — reset those authentication tokens, reissue those API keys — as quickly as possible. That's going to make it really hard for a ransomware actor that has access to that information to actually use it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Infostealers: An Early Warning for Ransomware Attacks

Cary, North Carolina, 18th September 2024, CyberNewsWire

**Cary, North Carolina, September 18th, 2024, CyberNewsWire**

INE Security is proud to announce that it has been named a winner in the prestigious 2024 SC Awards, named Best IT Security-Related Training Program. This designation underscores INE Security’s commitment to excellence and leadership in the cybersecurity industry.

The SC Awards, now in its 27th year, recognize the solutions, organizations, and individuals that have demonstrated outstanding achievement in advancing the security of information systems. This year’s awards were presented across 33 categories, celebrating both established industry leaders and emerging innovators.

INE Security stood out among a competitive field of entries, demonstrating its innovation in addressing the evolving cybersecurity landscape. The Best IT Security-Related Training Program award highlights INE Security’s efforts to deliver practical, effective solutions that safeguard against today’s complex threats.

> “We are thrilled to receive the 2024 SC Excellence Award for Best IT Security-Related Training Program. This recognition highlights our relentless pursuit of excellence and innovation in cybersecurity training,” said Dara Warn, CEO of INE Security. “At INE Security, we are committed to empowering professionals and organizations with the skills they need to defend against the ever-evolving cybersecurity threats. This accolade not only reflects our commitment to the highest standards of training but also motivates us to continue advancing the field of cybersecurity education.”

The SC Awards are presented by SC Media, a trusted cybersecurity resource, and evaluated by a panel of independent industry experts. Winners are selected based on their contributions to innovation, their ability to address the cybersecurity industry’s critical challenges, and their demonstrated impact on protecting organizations.

> “These award recipients represent the very best of what the cybersecurity community has to offer,” said Tom Spring, Editorial Director at SC Media. “Each winner has shown a commitment to advancing the industry with forward-thinking solutions and an ability to adapt to new challenges. Their contributions help drive progress in securing our digital environments.”

 INE Security has been recognized among the best cybersecurity training platform in 2024 by numerous organizations including:

*   G2 as an online course provider and technical training provider
*   G2’s 2024 Best Software Awards for Education Products 
*   Security Boulevard’s list of the Top 10 Hacking Certifications for both the Certified Professional Penetration Tester (eCPPT) and Web Application Penetration Tester eXtreme (eWPTX) certifications

The SC Awards were evaluated by a distinguished panel of judges, including cybersecurity professionals, industry leaders, and members of the CyberRisk Alliance community from sectors such as healthcare, financial services, education, and technology.

The full list of 2024 SC Awards winners: https://www.scmagazine.com/sc-awards

**About INE Security:**

INE Security is the premier provider of online networking and cybersecurity training and certification. Harnessing a powerful hands-on lab platform, cutting-edge technology, a global video distribution network, and world-class instructors, INE Security is the top training choice for Fortune 500 companies worldwide for cybersecurity training in business and for IT professionals looking to advance their careers. INE Security’s suite of learning paths offers an incomparable depth of expertise across cybersecurity and is committed to delivering advanced technical training while also lowering the barriers worldwide for those looking to enter and excel in an IT career.

**About CyberRisk Alliance**

CyberRisk Alliance provides business intelligence that helps the cybersecurity ecosystem connect, share knowledge, accelerate careers, and make smarter and faster decisions. Through their trusted information brands, network of experts, and more than 250 innovative annual events we provide cybersecurity professionals with actionable insights and act as a powerful extension of cybersecurity marketing teams. Their brands include SC Media, the Official Cybersecurity Summits, Security Weekly, InfoSec World, Identiverse, CyberRisk Collaborative, ChannelE2E, MSSP Alert, LaunchTech Communications and TECHEXPO Top Secret.

**Contact**

**Director of Global Strategic Communication and Events**  
**Kathryn Brown**  
**INE Security**  
**\[email protected\]**

INE Security Wins 2024 SC Excellence Award

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Cyber Espionage / Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.

The activity cluster is being tracked by Google-owned Mandiant under the moniker **UNC2970**, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).

The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.

"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."

The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.

In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.

It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.

Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

Participants in a hacking competition with ties to China’s military were, unusually, required to keep their activities secret, but security researchers say the mystery only gets stranger from there.

Capture the flag hacking contests at security conferences generally serve two purposes: to help participants develop and demonstrate computer hacking and security skills, and to assist employers and government agencies with discovering and recruiting new talent.

But one security conference in China may have taken its contest a step further—potentially using it as a secret espionage operation to get participants to collect intelligence from an unknown target.

According to two Western researchers who translated documentation for China’s Zhujian Cup, also known as the National Collegiate Cybersecurity Attack and Defense Competition, one part of the three-part competition, held last year for the first time, had a number of unusual characteristics that suggest its potentially secretive and unorthodox purpose.

Capture the flag (CTF) and other types of hacking competitions are generally hosted on closed networks or “cyber ranges”—dedicated infrastructure set up for the contest so that participants don’t risk disrupting real networks. These ranges provide a simulated environment that mimics real-world configurations, and participants are tasked with finding vulnerabilities in the systems, obtaining access to specific parts of the network, or capturing data.

There are two major companies in China that set up cyber ranges for competitions. The majority of the competitions give a shout out to the company that designed their range. Notably, Zhujian Cup didn’t mention any cyber range or cyber range provider in its documentation, leaving the researchers to wonder if this is because the contest was held in a real environment rather than a simulated one.

The competition also required students to sign a document agreeing to several unusual terms. They were prohibited from discussing the nature of the tasks they were asked to do in the competition with anyone; they had to agree not to destroy or disrupt the targeted system; and at the end of the competition, they had to delete any backdoors they planted on the system and any data they acquired from it. And unlike other competitions in China the researchers examined, participants in this portion of the Zhujian Cup were prohibited from publishing social media posts revealing the nature of the competition or the tasks they performed as part of it.

Participants also were prohibited from copying any data, documents, or printed materials that were part of the competition; disclosing information about vulnerabilities they found; or exploiting those vulnerabilities for personal purposes. If a leak of any of this data or material occurred and caused harm to the contest organizers or to China, according to the pledge that participants signed, they could be held legally responsible.

“I promise that if any information disclosure incident (or case) occurs due to personal reasons, causing loss or harm to the organizer and the country, I, as an individual, will bear legal responsibility in accordance with the relevant laws and regulations,” the pledge states.

The contest was hosted last December by Northwestern Polytechnical University, a science and engineering university in Xi'an, Shaanxi, that is affiliated with China’s Ministry of Industry and Information Technology and also holds a top-secret clearance to conduct work for the Chinese government and military. The university is overseen by China’s People’s Liberation Army.

Neither the university nor several cosponsors of the contest responded to WIRED’s inquiry about the competition.

Dakota Cary, a strategic advisory consultant at security firm Sentinel One, and Eugenio Benincasa, senior cyber defense researcher at the Center for Security Studies at ETH Zurich university in Switzerland, discovered the unusual contest and its requirements while researching China’s hacking competitions. The two have written a report for the Atlantic Council and plan to present their findings on Thursday at the Labscon security conference in Arizona.

They acknowledge that there is no hard evidence that the competition was used to attack a real-world target and that the evidence they do have is circumstantial. But they said they are 85 percent confident that this is what occurred because no alternative explanations make sense.

“There are a lot of good alternative explanations, and none of them have supporting evidence,” says Cary, who is fluent in Mandarin and has studied China’s offensive hacking capabilities extensively for years.

One possible alternative is that the target of the attack was a domestic company or organization that cooperated with the contest in order to give students experience in finding vulnerabilities in a real network and also provide the company with a threat assessment that could help it better secure its network against real-world adversaries.

Cary, however, says such exercises in China are called “crowd-testing” contests. But nowhere in the description of the Zhujian Cup does this phrase appear. “If it’s a real CTF exercise, why are \[participants\] deleting data and … backdoors?” he asks. And why are students told they could be held legally responsible if data or material they possess as part of the competition gets leaked? And if the students were attacking a target inside a cyber range, how could this cause “loss or harm to the organizer and the country,” per the wording in the pledge?

The competition was held on a weekend over the New Year’s holiday last year, on December 30 and 31. If the target was indeed a real-world network, the researchers note that holidays are often a time when security teams are short-staffed or less attentive and alert to intrusions. About 200 students from 29 schools participated in the weekend competition, which consisted of three parts, according to a description of the contest published by the school: a theoretical knowledge competition, a vulnerability discovery contest, and a “public-network target, actual combat attack competition.” The latter is the portion that Cary and Benincasa believe focused on a real-world target.

The researchers surveyed more than 120 capture-the-flag competitions organized in China since 2004—many of them held annually—to understand how the country has used such competitions to recruit talent and expand its cyber offensive and defensive capabilities. They say that China really began to focus on developing its cyber talent in 2015, after the Edward Snowden leaks had exposed the extensive hacking operations conducted by the US National Security Agency for intelligence purposes.

To strengthen its cyber defenses, China focused on revamping and expanding cybersecurity education programs and recruitment efforts between 2015 and 2021. A big part of the latter included the development and regulation of capture-the-flag competitions.

CTFs aren’t unique to China, of course; they are held around the world, including in the US, where one of the oldest—held annually at the Defcon hacking conference in Las Vegas—has existed for nearly two decades. The US government also hosts hackathons to help recruit talent, though not at the scale of China.

Since 2014, the researchers say, more than 540 capture-the-flag rounds of competition have occurred in China. The most intense activity began in 2018, which is also when China’s Central Cyberspace Affairs Commission and Ministry of Public Security issued a notice about the regulation and promotion of such contests. Now Chinese nationals must apply to the MPS for permission to participate in hacking competitions outside of China. Chinese leaders noticed Chinese students and security professionals were having great success competing in hacking competitions internationally and realized that each time someone from China won one of these competitions, the country was losing a potentially valuable asset with the vulnerabilities they disclosed as part of the contest. Now any vulnerabilities discovered by a Chinese national must be reported to the government and not disclosed publicly.

But importantly, China’s efforts in building its domestic capture-the-flag contests means that today it has one of the most robust hacking contest ecosystems in the world, the researchers say, including sector-specific ones for health care and law enforcement. The researchers estimate that about 300,000 people have participated in the contests over the last decade, but the researchers found only four that are open to students. The contests are led by universities across the country while also being supported by companies and the government. Contest winners and others who demonstrate good skill get entered into a national database.

Cary says that if the Zhujian Cup did involve a live target, it’s “remarkable” that the organizers put students in a position that could make them legally culpable if they got caught. But if so, it wouldn’t be the first time the government used students for intelligence operations. In 2022, the Financial Times reported that China had recruited unwitting university students to translate documents and data stolen in espionage operations conducted by the country’s hacking teams, reportedly without telling the students the source of the material.

This also may not be the first time a hacking competition in China played a role in a real-world breach subsequently attributed to China. In 2015, researchers at Threat Connect found curious evidence of a possible overlap between the TOPSEC Cup hacking competition coordinated by China’s Southeast University in 2014 and the subsequent hack of health care giant Anthem that same year. Southeast has financial connections to China’s civilian intelligence agency, the Ministry of State Security.

Did a Chinese University Hacking Competition Target a Real Victim?

Increasing attacks by the OilRig/APT34 group linked to Iran's Ministry of Intelligence and Security show that the nation's capabilities are growing, and targeting regional allies and enemies alike.

Source: Novikov Aleksey via Shutterstock

In its latest cyberattack on a Middle Eastern nation using its proxies in cyberspace, Iran continues to ramp up its cyber operations against rivals and allies.

In the attack, a cyberespionage group linked to Iran's Ministry of Intelligence and Security (MOIS) and known as APT34 targeted government ministries in Iraq, a nation that was once an enemy and now is sometimes a rival and sometimes an ally of Iran. The attack had all the hallmarks of the group, also known as Hazel Sandstorm: custom infrastructure using email tunneling for communications, use of two malware programs similar to previous APT34 code, and domain-naming schemes similar to previous operations.

Previous attacks by APT34 (aka OilRig, Helix Kitten, and Hazel Sandstorm) using similar tools and methods targeted other nations in the region, including Jordan, Lebanon, and Pakistan, according to an analysis by cybersecurity firm Check Point's research group.

"The goal is likely espionage, because those countries are at least, to some degree, allies of Iran, so I don't think, in this case, the main goal is destruction," says Sergey Shykevich, threat intelligence group manager at Check Point Research. "We also don't have any hints on the technological side that there is any destructive goal, and from what we do see — specifically in Iraq — we clearly see that the goal is data exfiltration and \[the like\]."

Following the start of the conflict between Israel and Hamas nearly a year ago, rivalries and relationships throughout the region have changed. In late spring, Iran criticized Jordan — and to a lesser extent other Arab nations — for reportedly helping Israel track and interdict missiles during Iran's April 13 attack on the Jewish nation. Meanwhile, Iraq continues to have strong ties to Iran through proxy networks and political parties aligned with Iran.

**Iran's Cyber Operations Grow**

At the same time, Iran has expanded its cyber operations strategy in the region. A group linked to the Iranian Islamic Revolutionary Guard Corps (IRGC) — and known variously as APT33 (Mandiant) and Peach Sandstorm (Microsoft) — has targeted communications equipment, government agencies, and the oil-and-gas industry in the United Arab Emirates and the United States, typically to gather intelligence, Microsoft stated in August.

Late last month, the US Cybersecurity and Infrastructure Security Agency (CISA) warned that the Iranian group Lemon Sandstorm, also known as Fox Kitten, had leveled ransomware attacks against various countries, and another group, Charming Kitten, or APT42, targeted individuals associated with both the Democratic and Republican presidential campaigns.

Iran is increasingly flexing its muscles in cyberspace, and especially against rivals throughout the Middle East region, says Mohamed Fahmy, a cyberthreat intelligence researcher with cybersecurity firm Trend Micro.

"Iranian APT groups, including APT34, have become very active recently in targeting the Middle East, particularly the government sector in the Gulf region," he says. "From what we’ve seen of APT34’s toolset and activities, they aim to infiltrate entities as much as possible, leveraging compromised infrastructure to launch further attacks. ... APT34's primary goals seem to be espionage and stealing sensitive government information."

**Evasive New Malware: Veaty and Spearal**

In the latest campaign, APT34 used fake document attachments targeting Iraq between March and May of this year, and likely used social engineering to convince users to open the links and run an installer. The attack results in the installation a .NET backdoor. Currently, one backdoor is called Veaty and the other Spearal, and both malware binaries allow command-and-control (C2) of compromised systems.

The techniques used by Veaty and Spearal show similarities to two other malware families — known as Karkoff and Saitama — both of which are attributed to APT34, Check Point stated in its analysis.

Iranian cyber operations groups tend to use custom DNS tunneling protocols and a C2 channel based on email subject lines, according to the research: "This distinctive blend of straightforward tools, written in .NET, combined with sophisticated C2 infrastructure, is common among similar Iranian threat actors."

The capabilities of APT34 and Iran's other groups will only increase, says Check Point's Shykevich.

"They just improve it," he says. "They just use the same content, but each target, or each country they attack, they deploy a new generation of the same concept ..., where they improve it and make it more stealthy \[or add other features\]."

Companies in the Middle East should focus on implementing a zero-trust architecture to strengthen defenses, including establishing a mature security operations center (SOC) with managed endpoint detection and response (MDR) capabilities, says Trend Micro's Fahmy.

The increased geopolitical tensions in the region will only mean increasing efforts to gain intelligence through cyberattacks, he says.

"Government sectors in the Middle East and Gulf region should take this threat seriously," he says. "These groups aim to blend into the network environment by customizing their malware to avoid detection, \[so\] understanding their techniques, which have not changed significantly, is crucial."

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.

As Geopolitical Tensions Mount, Iran's Cyber Operations Grow

US State Department warns that Kremlin-backed media outlets in democracies around the world are hiding Russian cyber spies and actively working to sow discord.

Source: Postmodern Studio via Alamy Stock Photo

Long understood as a Kremlin-backed propaganda machine, RT News, based in the US, has been far more nefarious than officials once believed.

Just last week, the Biden administration charged two Russian nationals with pumping $10 million into RT International, a media company the US said was used by the Russian government to meddle in the upcoming US elections.

But these robust Russian interference and disinformation operations aren't unique to the US. In fact they're in full swing around the world, according to a new warning from US Secretary of State Antony Blinken.

Blinken explained in Sept. 13 statements that the US has recently discovered RT included an embedded Russian cyber unit, operating since the spring of 2023 with the full knowledge of RT leadership, adding the news outlet was "functioning like a de facto arm of Russia's intelligence apparatus."

The RT leadership team is also accused by the US of running a large crowdfunding campaign to procure equipment like weapons and generators for Russian soldiers fighting against Ukraine.

Details about RT's espionage participation and equipment fundraising were provided by RT employees, Blinken added.

**RT Tactics Replicated Around the World**

Blinken warned a similar Kremlin strategy is being used to spread disinformation and undermine democracies around the world, most acutely in Africa, Germany, and Moldova.

RT and similar influence outlets, like German outlet Red (formerly Redfish), feed intelligence gathered not just to the Russian government but media outlets and mercenary groups as well, Blinken said. Across Africa, a social media-based news organization called African Stream is being used by the Kremlin to spread disinformation in a similar fashion, he added.

"We urge every ally, every partner, to start by treating RT's activities as they do other intelligence activities by Russia within their borders," Blinken said. "Our most powerful antidote to Russia's lies is the truth."

RT News Hosted Russian Cyber Spy Unit, US Says

At least eight people have been killed and more than 2,700 people have been injured in Lebanon by exploding pagers. Experts say the blasts point toward a supply chain compromise, not a cyberattack.

The AP-900 runs on two AAA batteries, which, like any battery, could be induced to explode, but likely not with such force and scale as the explosions depicted in alleged videos of the blasts. If the pagers used by Hezbollah are the AR-924 or another model that runs on lithium-ion batteries, which can cause more dangerous explosions, it’s still unlikely that a regular pager battery alone could produce blasts that could injure multiple people.

“Those explosions aren’t just batteries,” says Jake Williams, vice president of research and development at Hunter Strategy who formerly worked for the US National Security Agency. “Based on the reporting, these pagers were likely interdicted by Israeli authorities and modified with explosives. This highlights the risks of supply chain security, especially in places where technology is harder to ship to.”

Gold Apollo did not immediately respond to WIRED's request for comment.

Williams points out that such an operation would likely involve operatives on both the tech distribution side and the Hezbollah procurement side. “You compromise the supply chain, but you don't want thousands of explosive pagers running around Lebanon,” he says. “The mole gets them to exactly the right people.”

Some reports on Tuesday indicate that Hezbollah recently expanded its use of pagers in an attempt to secure communications after other channels had been infiltrated by Israeli intelligence. The Associated Press reported that an anonymous “Hezbollah official” said the group had recently adopted a “new brand” of pagers that “first heated up, then exploded.”

“It's unlikely that hacking was involved, as it's likely that explosive material had to be inside the pagers to cause such an effect,” says Lukasz Olejnik, an independent consultant and visiting senior research fellow at King’s College London’s Department of War Studies. “Reports mention the delivery of new pagers recently, so perhaps the delivery was compromised.”

Michael Horowitz, head of intelligence at Middle East and North Africa risk management company Le Beck International, says if the attack is supply-chain-based, then it could have taken years to prepare and involved infiltrating a supplier and placing explosives inside new pagers.

“This is a major security breach, particularly if we’re talking about a charge that was placed inside the devices—which, in my opinion, is the most likely scenario,” Horowitz says. “This would mean that Israel has managed to infiltrate Hezbollah providers to the point of delivering hundreds (if not thousands) of devices used for secured communication.”

The incident comes amid escalations of fighting between Israel and Hezbollah in recent months, raising fears of a full-blown war. In the hours before the explosions on Tuesday, Israel said its war goals would include allowing 60,000 people to return to Northern Israel after they were evacuated following Hezbollah attacks, and it would not rule out military action.

Horowitz says the incident could be a “prelude to a broader offensive” and possibly meant to disrupt Hezbollah’s communications networks. It is likely that replacing a large number of pagers would take some time to organize. Alternatively, Horowitz says, the attack could also have been conducted to show the “scale of Israel's intelligence penetration.”

“This is a high-value operation that you wouldn't use just to cause injuries,” Horowitz says.

Even if the blasts were not caused by a cyber-physical attack that induced the pager batteries to explode, it's still possible that explosives planted in the pagers were detonated using a remote command, possibly even a specially crafted pager message. Some footage appeared to show users checking their pagers right as the explosions occurred, though this could have been coincidental.

The operation could have a psychological impact on Hezbollah given that bombs may have been lurking undetected in such an unassuming device. And though Tuesday’s attacks were notably aggressive, it would not be the first time Israeli intelligence has reportedly planted explosives in electronics.

_Updated at 3:25 pm ET, September 17, 2024: Added additional details about potential ways the attack could have been carried out._

_Updated at 3:40 pm ET, September 17, 2024: Added additional details about the pager model that may have been used in the attack._

_Updated at 5:20 pm ET, September 17, 2024: Updated to reflect the latest casualty figures._

The Mystery of Hezbollah’s Deadly Exploding Pagers

Despite more US sanctions against spyware operators, Apple decided the cost in terms of disclosures about its own anti-spyware efforts was too great.

Source: stLegat via Alamy Stock Photo

Stopping the spread of commercial spyware is shaping up to be too big of a job even for tech titans like Apple.

The company dropped its years-long legal effort against Pegasus spyware dealer NSO Group, declining to hand over sensitive threat intelligence that it said could be used by adversaries against its own security defenses.

Pegasus spyware is a zero-click espionage malware deployed against iPhones, including that of Russian journalist Galina Timchenko, among others.

Meanwhile, international governments continue to hammer individuals and entities affiliated with commercial spyware operations with sweeping sanctions that have have little effect, leaving the digital espionage market wide open for investors, operators, and dictators around the globe.

Cupertino's brass is also encouraged by the work the US, international governments, and the tech sector at large have done to fight the rise of commercial spyware, Apple explained in its Sept. 13 motion to dismiss.

"When it filed this lawsuit nearly three years ago, Apple recognized that it would involve sharing information with third parties," Apple said. "Because of the developments since this suit was filed, proceeding forward at this time would now present too significant a risk to Apple's threat intelligence program."

Apple laid out other factors in the changed the landscape that made it increasingly dangerous for the company to release sensitive information.

First, Apple claimed that in the years since it first brought legal action against NSO Group it has continued to develop its threat intelligence to actively defend its users from threat actors. Handing over details about how Apple fights spyware to known spyware operators would be a bad idea. Apple added that NSO Group had been stingy with disclosures it made during the case's discovery process.

Further, Apple noted the commercial spyware sector has become more decentralized and that NSO Group is no longer a single actor in the cyber-espionage space; any action against the Israeli company would simply strengthen other spyware sellers as authoritarian governments pivot from Pegasus to numerous competing spyware brands.

Finally, Apple explained to the court that international governments have come around in the past three years and taken up the fight against spyware and the threat it poses to human rights around the world.

**Spyware Sanctions Aren't Working**

As if on cue, the US Department of the Treasury dropped a new round of sanctions just days later, on Sept. 16, this time against what the department calls "enablers" of the Intellexa commercial spyware consortium, identified to be behind Predator spyware. Sanctioned individuals include Felix Bitzios, Andrea Nicola Constantino Hermes Gambazzi, Merom Harpaz, Panagiota Karaoli, Artemis Artemiou, and the Aliada Group Inc.

These sanctions prohibit any US transactions with those named as well as any entities in which they own 50% or more, bar them from obtaining a US visa, and more.

But research shows sanctions have had little impact on stymieing the broader commercial spyware market. Digital eavesdropping continues to be deployed against diplomats, journalists, and ordinary citizens and vendors while intelligence gatherers have improved their ability to operate in the shadows, easily gaming sanctions and restrictions.

This past March, two individuals and five entities the US government said were associated with Predator mobile spyware operators were sanctioned as a result of Predator's network and infrastructure's spread into Botswana and the Philippines.

Nonetheless, it seems the cost of stopping spyware in the courtroom is too high even for the deepest-pocketed actors like Apple. Instead Apple said it will dig in on defense and leave offense to the feds.

"Apple has made the decision to prioritize its expert security resources and advanced threat-intelligence program to continue to stop destructive spyware through technical methods," the company said.

Apple Abandons Spyware Suit to Avoid Sharing Cyber Secrets

Apple Security Advisory 09-16-2024-10 - macOS Ventura 13.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-10 macOS Ventura 13.7

macOS Ventura 13.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121234.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive user information  
Description: The issue was addressed with improved checks.  
CVE-2024-44129

App Intents  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppKit  
Available for: macOS Ventura  
Impact: An unprivileged app may be able to log keystrokes in other apps  
including those using secure input mode  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27886: Stephan Casas, an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40814: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

Automator  
Available for: macOS Ventura  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Ventura  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Ventura  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Ventura  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Shortcuts  
Available for: macOS Ventura  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Ventura 13.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboy2sACgkQX+5d1TXa  
IvoOmhAA1kPpqqhEBRbskSU4pFIfX+JY/MyIrnI+6pNgMk3CLhQ5SSx0aFS2tg/c  
We70hoiTA8eWMvRkYr8KYNriNstqCivg7iq84Gv4/ycJ9Hx4Zwj6pZh5If1H8y+Q  
3NVsvLgnmvnAb6W7MvpXtgma47vA5xRe2oefCNe6QbcC2qnQ2xaspBZtH805IkAi  
WznXdr7UXmjJyfjlgp2FifyiLYQoPXPGFOLKkBURDCxaH4SJidgvzxerU+B+1ju9  
dqW29eQwTjG+qhXncTuxfUSuQ5s7g5XfVqfvcTQihUk+ZjWaMYOaUT2UYlAgDfg5  
Mq35kP/Hvh8zmf+Ryufl3D+qfKpyVUUJUKu+kEMbOIoIMkCzM4F0G30czaKiGCA+  
tJCEtsY/oxcbEcy8DLQbesPCv5Hf1Gv2fMkP3p/6CAYqXQ1mXQF0Vm2erKRqS+yD  
N2+M+r/GFzvK4i9bf6j10kDgv9PRxPs+pH9zuU85cwhT+jZzr2dkvTC9p+mI+5CJ  
AZ7ZMgTLbXDw2M4d4e6mEV3XbJ5ebNqQv9t0Hfbg3pf8YVEeAO0casIPopLK6fqi  
uS7gn/3PL9C1HS2gqlekYuwiP0DSleKk9qCDUVVfmAAxTA1vHKvtvlRBO0ykN7HI  
NmX+8AuFy8jnZRmZWXIbav1/EdWYg7e5SLCD+pemYLcMYSoSNXg=  
=YxVI  
-----END PGP SIGNATURE-----

Apple Security Advisory 09-16-2024-10

Apple Security Advisory 09-16-2024-9 - macOS Sonoma 14.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, out of bounds write, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-9 macOS Sonoma 14.7

macOS Sonoma 14.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121247.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved permissions logic.  
CVE-2024-44153: Mickey Jin (@patch1t)

App Intents  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted video file may lead to  
unexpected app termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-40846: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative  
CVE-2024-40845: Pwn2car working with Trend Micro Zero Day Initiative

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: A memory initialization issue was addressed with improved  
memory handling.  
CVE-2024-44154: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Sonoma  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

AppleVA  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted video file may lead to  
unexpected app termination  
Description: An out-of-bounds write issue was addressed with improved  
bounds checking.  
CVE-2024-40841: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

AppSandbox  
Available for: macOS Sonoma  
Impact: An app may be able to access protected files within an App  
Sandbox container  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44135: Mickey Jin (@patch1t)

Automator  
Available for: macOS Sonoma  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Sonoma  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-27880: Junsung Lee

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Sonoma  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Sonoma  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Sonoma  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Sonoma  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Sonoma  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Sonoma  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Sandbox  
Available for: macOS Sonoma  
Impact: A malicious application may be able to leak sensitive user  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44125: Zhongquan Li (@Guluisacat)

Security Initialization  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-40801: Zhongquan Li (@Guluisacat), Pedro José Pereira Vieito  
(@pvieito), an anonymous researcher

Shortcuts  
Available for: macOS Sonoma  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Sonoma  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

sudo  
Available for: macOS Sonoma  
Impact: An app may be able to modify protected parts of the file system  
Description: A logic issue was addressed with improved checks.  
CVE-2024-40860: Arsenii Kostromin (0x3c3e)

System Settings  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Sonoma  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Sonoma 14.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboywEACgkQX+5d1TXa  
IvrDjxAA2tgRLOOTvFpZrVW/HEBxwCFUn7UkzXyfgUTuqntjSvmsc/pyVmPDpnOM  
UnLhZ4d3B6v44MSelhxSbomtGkggQfYAvcNmlPDk+yMMS0K5yRBJ3dobEt4e53Wj  
9DQl2cQfHxop3uaLRFRTRy5Wk46xIZcsPS3Obb0kLAZpnzD1K2UQ5tIgEVF2ETqi  
SaRlrjqsgiauG/qZ8pzJjQSB1/iNBJCf4TBMBmHHJ91zAVOiYxvVcIAcBl1cBK4m  
UU6Z0vF1NmNCTAu/8KPP0Y6AD5tM7ZrkotU1yTP8uey4r3Ec8XrZqzhTH05sMI5V  
Xt98UeRNl2EJQAJR2Wjfsa2u255SvJ9VJpOGpTff9npsP5c6a7fup2mcKSVmCJHG  
FxFoU9WC2Lx2fsb7kBZXx5y4+/lwKBh8gQBkqOB4vttUZIYwp/rwXJtBvwkSb3E+  
2MTYly0SAAAbwrGoImKsskbiOxB+Ebry2cZ4Rg8rKKwQIfpjpgCb2U97Ue1zCU/S  
lHCObpyD0HtDD13zYw3NXfbrcWS195WhLdgtVl9XJz90pQQwdcINzubGhILmabpl  
Q+QXoSuKNi0ooy9qO8yEmQdzF0swD/FZMqTmF6FFtFby4NpY6ooapHHyhJOGeqSn  
/Poj2T/Ay/xaX7VL2fUPU9n0KTNtp+HgvgpzMX31HpBNXo/96Eo=  
=YUrh  
-----END PGP SIGNATURE-----

Tag

#intel