Apple Security Advisory 2023-09-21-4 - watchOS 10.0.1 addresses bypass vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-4 watchOS 10.0.1

watchOS 10.0.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213928.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: A local attacker may be able to elevate their privileges. Apple  
is aware of a report that this issue may have been actively exploited  
against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
CVE-2023-41992: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Security  
Available for: Apple Watch Series 4 and later  
Impact: A malicious app may be able to bypass signature  
validation. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: A certificate validation issue was addressed.  
CVE-2023-41991: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+QACgkQX+5d1TXa  
Ivrolg//eCfa6uj7rYz+BwmO2KTNLG+gAn+NZ9hnFb/txI8aoIwYc5rxDM8ektDP  
itxupK30fcz3cG3fdWazD8YQ16Q7nN9KgU1alLELMZCgBI9K9osMGHzwzCepF1bJ  
gaIt6e/DT6nEruNbtR9DOvZYFK0bBaM+Iar6GZ9NgSP8KwXZjRgCUBtaYuKEu2z4  
K3xic4l0iKbV6T+Wb2hoinsRYjD5vf85q/6qcufRzUdBzpCyy6jEmMZs0CKnCef7  
joEtz1tCVOydrydWXDNrmVXm5BLjBp4Fo3+i5O+zXXJvOaFdvHsbZ9IXmdMR2Zrz  
YY7XxCawuRopfTAsNmnl8dYGGA2u9hSNmxienTCReYfF2gY6QG9tUpnS6TYkv1+3  
HT/W5or4HLlVQvG4M+6ZOLIL/RlCBlnJBP7L78FYQW/0650FU6Xq3UoeQIx5LBf2  
xtz4Dk/Dd/hF0dpGgRtg/Qw1ZqMZbwSgM4Z9yNOT1BnDWKgPyyl4Cg8D50ua4jyH  
eGXUOQhM8hUoaIYjyNe2HM44tW3zZue/eXdu2xLL0LqwBWu4nEZBoyXHJLZHCtYq  
W3KFBpcK3xgXujoknsu+X4Lq/oKH9SdPVmExkIZ/3Ga+8W2pYS3vIhRglt/Cuiis  
xezTX8F3NjxIIztlBwlIgIGcdhb3pFRm7YqMwXykxOIpevPAyRM=  
=zsee  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-4

Apple Security Advisory 2023-09-21-3 - iOS 16.7 and iPadOS 16.7 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7iOS 16.7 and iPadOS 16.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213927.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Additional CVE entries coming soon.KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupSecurityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupAdditional recognitionKernelWe would like to acknowledge Bill Marczak of The Citizen Lab at TheUniversity of Toronto's Munk School and Maddie Stone of Google's ThreatAnalysis Group for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7 and iPadOS 16.7".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+MACgkQX+5d1TXaIvqDVA//ViOiBbSSAlFO6+SkMIWoXJvV+5lQktWubXwtiDkC2gXrxFazBMrGOmzz1ELGkLVPGbgPR0nt5C2VrmFWEQ6U4HGf8K1RTIniqqSVHuVZeoQ8JGobIEItgj0/NYws3BtdZKaYJtW9imdMBgjk9pFsqYvw14yNxxScaUz1zmOjdbslQSkYIMqYp5Er2ION56ZLVvTfNs70RsZ3k/8S+2FFR1UQR0kfXrGZg7vmeaEw0XPW7NZGjLDiDTxW/Ro2lfl/7jLMH7gy5IeHTJw0TsZZlkCgQ0EllJ3UPuptpr9EiNgs26bJLGjv8Hjl1Mp1/uzkPhdNLcN8UghgCrQNHuMb9P69DcHahOAuACCPWO09eoQay2+ZmMR+Ec7HKUmVEnjCJ7I4crIY93c8zXdkrFp06kwcLOUo7JzVy7WWAn302wGKnNW1G/q7FXNSbGnWs/mQMWXfB3eeLT7atU39RmCQgLNopfQuJfgImTYiSYhVB1xBt0sKnP9OfT2RKlWO4+7Igs9UzcNkbNnDjkJGGtZuQNG1njUHDRaePpC8YnesQ5Xo3mUAdEKKDjfsvgvy/xZXLggpwj1Vo5RrRsceiWEjjffCsRJaBEx/R03dv4JUkm3VT/dRFWEntroGZ+lvhgKjvKUszZ9/ztER3Yfw9FvptRwznshof/KYt+IKAVwnQOQ==oY3a-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-3

Apple Security Advisory 2023-09-21-2 - iOS 17.0.1 and iPadOS 17.0.1 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-21-2 iOS 17.0.1 and iPadOS 17.0.1iOS 17.0.1 and iPadOS 17.0.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213926.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.KernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,iPad mini 5th generation and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupSecurityAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,iPad mini 5th generation and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.0.1 and iPadOS 17.0.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+MACgkQX+5d1TXaIvrv2BAA2OVuQh+A+ueReKyIWMrCbMSa8Vr/0I30lmR6EwagXspttZU6o5B1YpxDQGljaQT4wKizwxW0Uvkjr/b74oLcfsTp0VVNF8RqrFLPEw7CszXANhxoCHa47J3BX4WYvVKMmjc65AAcBby54UXLBVRKs1pdcWXE+/X+/Oo+LzynUeuFzNlMJ6bMBtrax2ip/gLwNiR47gkpwP3JSnChnAwulbDnUVNpdt9+eRnU5qAoFKsCGVlbCj34lqVyPpHBc4NXAjar+F/iQkTVGwWpeolMFaxUNMWspy4dhdni3ol5lxjRZvBTQqqCiEy1iX1KrU+ZXiIu8GRAMJcYYczM0AqrGc3P59jmMKR9x1tmoWcqVJr4o05c89K4QPy/xxCO6D1kNkk4Flo4ko/9UElFlAkdcoh+Uw63lvc7QtsjIgbkkktD6Oy+PQmaPtXLijmJ6pAbX9IpFCyNDdGX+Iwpqa7gp9oxVD3O4UVIqJkMTcUlDqP7oOHyOVbLLDIhbL+11gQFRjO1j6CO5wqohd234XKArks/ifw2BUV5itOxt/jHfRP7XJpgBXx+R91RxWSn8r1Bf/GMD7S+jIpfJ6kON/UykDTqYHHJYhpMaKlLwuZQY5iWyp0SySTY+UHhl4Q/hGIEFQHItjz3Vk+1Kn6iwh4XDWHPMOLFTXkNoxl7dy5cQ+k==g23D-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-2

Apple Security Advisory 2023-09-21-1 - Safari 16.6.1 addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-1 Safari 16.6.1

Safari 16.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213930.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: macOS Big Sur and Monterey  
Impact: Processing web content may lead to arbitrary code  
execution. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Safari 16.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+IACgkQX+5d1TXa  
IvrZ2BAAuNoAbXP8tdVUSSH8ZI5HlF80jdbUjVTMvRXl0sjkzBPGaS9g0hKJWZhD  
4b4yKY5/4flWuL4SXWaSzk8ZDe0EmgUoKG1Nr1rROR+KzXY78mm5V8z3xheCH4+d  
4e8wJ57xLQn++Gw1heVC21JBgFIq00OAbnBptPKfMQZGQaa6g/aRV8o/gezWcG3Y  
3zqbrW2wSvfTVWE2yMKJBTnHLbHZNWWHXojWJqgmKRli3pyfrff2N6vk7w0nsBxg  
FNgreWXK4KO3MkGONXYRdmwbqWpiLokJ2oAiHI4sepF4eb9mgrJ/dOLHVoWZ9HVm  
BWG7TKKV780d15dNegx4zgTU8p9X9x7rFvY3EoKjpg0Hvd/yf/4POeKCAz9TB2ve  
sVmGlHHqrYZm+ZkxmGHZwbZWzUTLSs6+T0T906LR5+qFUeffpjQTKFi7kOVuKIxt  
6GbWt+Tmfvkka/Wt/NM1xQXB0CCm1TtudqHgCECXGN3ZT5kxVlJpyltltG2o+Mp4  
IN31lMQ+77zwT59JOkup045RLWhaoMFfqpIJ61LYT0g16OXZmJH/Lheawy4LUr/N  
85A+42DoTsVwjOU8BoRhWqSX/nZeBcadV7hhK2rGw9pI2LI6S24BoIH6DUc5VTfX  
kQzhBo+SN5ZgV2c3mPO4DuRzAn9ijZO7HnJou/0nM7cZTJEmAVA=  
=dCMM  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-1

Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed EvilBamboo to gather sensitive information.
"The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users," Volexity security researchers Callum Roxan, Paul

Tibetan, Uyghur, and Taiwanese individuals and organizations are the targets of a persistent campaign orchestrated by a threat actor codenamed **EvilBamboo** to gather sensitive information.

"The attacker has created fake Tibetan websites, along with social media profiles, likely used to deploy browser-based exploits against targeted users," Volexity security researchers Callum Roxan, Paul Rascagneres, and Thomas Lancaster said in a report published last week.

"Partly through impersonating existing popular communities, the attacker has built communities on online platforms, such as Telegram, to aid in distribution of their malware."

EvilBamboo, formerly tracked by the cybersecurity firm under the name Evil Eye, has been linked to multiple attack waves since at least 2019, with the threat actor leveraging watering hole attacks to deliver spyware targeting Android and iOS devices. It's also known as Earth Empusa and POISON CARP.

The intrusions directed against the Apple mobile operating system leveraged a then-zero-day vulnerability in the WebKit browser engine that was patched by Apple in early 2019 to deliver a spyware strain called Insomnia. Meta, in March 2021, said it detected the threat actor abusing its platforms to distribute malicious websites hosting the malware.

The group is also known to use Android malware such as ActionSpy and PluginPhantom to harvest valuable data from compromised devices under the guise of dictionary, keyboard, and prayer apps made available on third-party app stores.

The latest findings from Volexity attribute to EvilBamboo three new Android espionage tools, namely BADBAZAAR, BADSIGNAL, and BADSOLAR, the first of which was documented by Lookout in November 2022.

A subsequent report from ESET last month detailed two trojanized apps masquerading as Signal and Telegram on the Google Play Store to entice users into installing BADSIGNAL. While the Slovak cybersecurity firm assigned the bogus to the BADBAZAAR family, citing code similarities, Volexity said, "they also appear to be divergent in their development and functionality."

Attack chains used to distribute the malware families entail the use of APK sharing forums, fake websites advertising Signal, Telegram, and WhatsApp, Telegram channels devoted to sharing Android apps, and a set of bogus profiles on Facebook, Instagram, Reddit, X (formerly Twitter), and YouTube.

"The Telegram variants implement the same API endpoints as the Signal variants to gather information from the device and they implement a proxy," the researchers said, adding it identified endpoints indicating the existence of an iOS version of BADSIGNAL.

One of the Telegram channels is also said to have contained a link to an iOS application named TibetOne that's no longer available in the Apple App Store.

UPCOMING WEBINAR

Fight AI with AI — Battling Cyber Threats with Next-Gen AI Tools

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

Messages shared via the Telegram groups have also been used to distribute applications backdoored with the BADSOLAR malware as well as booby-trapped links that, when visited, run malicious JavaScript to profile and fingerprint the system.

While BADBAZAAR is mainly used to target Uyghur and other individuals of the Muslim faith, BADSOLAR appears to be used primarily with apps that are Tibetan-themed. However, both strains incorporate their malicious capabilities in the form of a second stage that's retrieved from a remote server.

BADSOLAR's second-stage malware is also a fork of an open-source Android remote access trojan called AndroRAT. BADSIGNAL, in contrast, packs all of its information-gathering functions in the main package itself.

"These campaigns largely rely on users installing backdoored apps, which highlights both the importance of only installing apps from trusted authors and the lack of effective security mechanisms to stop backdoored apps making their way on to official app stores," the researchers said.

"EvilBamboo's creation of fake websites, and the personas tailored to the specific groups they target, has been a key aspect of their operations, enabling them to build trusted communities that provide further avenues to target individuals with their spyware or for other exploitation."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese

Categories: News
Tags: Themebleed

Tags:  zero-days

Tags:  Apple

Tags:  T-Mobile

Tags:  MGM

Tags:  metaverse

A list of topics we covered in the week of September 18 to September 24 of 2023



(Read more...)




The post A week in security (September 18 - September 24) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 18 - September 24)

By Waqas
Former Egyptian MP targeted with predator spyware ahead of 2024 presidential run - Therefore, Update your macOS Ventura, iOS, and iPadOS devices NOW, as Apple has released emergency updates to address the flaws.
This is a post from HackRead.com Read the original post: Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware

****Key Findings****

*   **Ahmed Eltantawy, a former Egyptian MP and presidential candidate, was targeted with Cytrox’s Predator spyware after announcing his bid for the presidency.**

*   **The spyware was delivered through SMS, WhatsApp messages, and network injection attacks, highlighting the advanced tactics used against Eltantawy.**

*   **Researchers obtained an iPhone zero-day exploit chain used to install Predator on iOS devices, affecting versions through 16.6.1.**

*   **The network injection attack was attributed with high confidence to the Egyptian government, as it originated from a device physically located within Egypt.**

*   **This case raises concerns about the lack of controls on the export of spyware technologies and underscores the importance of security updates and lockdown modes on Apple devices.**

In a recent investigation by Citizen Lab, alarming findings reveal that former Egyptian Member of Parliament, Ahmed Eltantawy, was the victim of a sophisticated cyber espionage campaign that leveraged Cytrox’s Predator spyware.

This targeting occurred between May and September 2023, shortly after Eltantawy publicly announced his intention to run for President in the 2024 Egyptian elections.

Here, it is worth noting that Cytrox’s Predator spyware was initially discovered targeting Android devices **in May 2022**. However, in August 2022, Citizen Lab **pointed out** a connection between the spyware and the European spyware vendor, Intellexa Alliance.

At that time, the spyware was used to target a lawmaker in Greece, and interestingly, the same firm had previously **made headlines in November 2019** when Cypriot authorities seized a surveillance van belonging to Intellexa. This surveillance van was equipped with hacking tools capable of intercepting, cracking, and tracking smartphones.

The campaign against Eltantawy utilized various tactics, including SMS and WhatsApp messages containing malicious links. Moreover, Eltantawy’s mobile connection with Vodafone Egypt was persistently selected for targeting via network injection.

When Eltantawy visited non-HTTPS websites, a device within Vodafone Egypt’s network automatically redirected him to a malicious website to infect his phone with Cytrox’s Predator spyware.

Citizen Lab’s **investigation** uncovered an iPhone zero-day exploit chain designed to install Predator on iOS versions through 16.6.1. They also obtained the first stage of the spyware, which shared notable similarities with a sample of Cytrox’s Predator spyware obtained in 2021. With high confidence, Citizen Lab attributes the spyware to Cytrox’s Predator spyware.

Given Cytrox’s known association with the Egyptian government, which is a customer of the Predator spyware, and the fact that the spyware was delivered via network injection from a device physically located within Egypt, Citizen Lab confidently attributes the network injection attack to the Egyptian government.

This isn’t the first time Eltantawy has been targeted. In November 2021, his phone was infected with Cytrox’s Predator spyware through a text message containing a link to a Predator website.

These revelations raise serious concerns about the use of spyware to target opposition figures in a democratic process. Ahmed Eltantawy’s case underscores the need for strong cybersecurity measures and heightened awareness of potential threats during election campaigns.

****Apple Releases Emergency Updates Amid Citizen Lab’s Disclosure****

In response to Citizen Lab’s findings, Apple has issued three emergency updates for iOS, iPadOS **(1)**, and macOS Ventura **(2)**. The updates address the following vulnerabilities:

*   CVE-2023-41991
*   CVE-2023-41992
*   CVE-2023-41993

Apple has also acknowledged the researchers’ findings and **stated** that the company is aware of reports suggesting that this issue may have been actively exploited in versions of iOS prior to iOS 16.7.

Commenting on this, **Dr Klaus Schenk**, senior vice president of security and threat research at Verimatrix, said “The vulnerabilities discovered in Apple’s platforms are highly concerning due to their potential impact. Privilege escalation, arbitrary code execution, and especially remote exploitable arbitrary code execution rank among the most dangerous issues for any computing system.”

Dr Klaus emphasised that “It’s reassuring that Apple has not yet disclosed technical details of the attack vectors. Keeping that information private significantly reduces the risk of widespread exploits, since threat actors have less information to engineer effective attacks. For remote code execution to occur, a user would need to visit a website specifically crafted to leverage these vulnerabilities and distribute malicious code. With details undisclosed, the number of sites currently capable of mounting such an attack is likely very low.”

“That said, Apple customers should immediately install these emergency security updates to protect themselves against potential targeted attacks. Timely patching is critical, as threat actors will eventually reverse engineer the fixes to understand the underlying flaws. By updating promptly, users ensure their devices cannot be compromised by attacks exploiting these particular zero-day vulnerabilities, he advised.” “Moving forward, it’s essential that Apple continue working diligently to identify and rectify security issues in their software before they can be weaponised against users.”

This marks the second time in a month that Citizen Lab has detected a sophisticated spyware campaign targeting Apple devices. **On September 7th, 2023**, Apple released a critical security update to address a zero-click vulnerability that was actively delivering NSO Group’s Pegasus spyware to iPhones. These revelations were initially reported by Citizen Lab, which classified the attack as a BLASTPASS operation.

****Conclusion****

The Citizen Lab’s findings also shed light on the importance of maintaining up-to-date software and enabling security features like Lockdown Mode on Apple devices. They emphasize the critical role that security measures play in safeguarding individuals from cyber threats.

Additionally, the report calls for increased controls on the export of technologies that can be misused to violate human rights. It highlights the need for greater transparency and accountability in regulating dual-use technology exports, especially in cases involving companies headquartered in Canada.

In a world where cyber threats are becoming increasingly sophisticated, these findings serve as a stark reminder of the importance of digital security and the potential consequences of inadequate measures.

****RELATED ARTICLES****

1.  QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks
2.  Apple AirTags can be used as trojan for credential hacking
3.  Israeli spyware used in hacking phones of journalists globally
4.  Android Version of Sophisticated Pegasus Spyware Discovered
5.  Israeli Spyware Vendor Uses Chrome 0day to Target Journalists

Zero-Day iOS Exploit Chain Infects Devices with Predator Spyware

Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  emergency

Tags:  update

Tags:  CVE-2023-41991

Tags:  CVE-2023-41992

Tags:  CVE-2023-41993

Apple has released patches for three zero-day vulnerabilities that may have been actively exploited.



(Read more...)




The post Emergency update! Apple patches three zero-days appeared first on Malwarebytes Labs.

Apple has released security updates for several products to address a handful of zero-day vulnerabilities that may already have been used by criminals. Updates are available for:

*   iOS 16.7 and iPadOS 16.7
*   iOS 17.0.1 and iPadOS 17.0.1
*   watchOS 9.6.3
*   watchOS 10.0.1
*   macOS Ventura 13.6
*   macOS Monterey 12.7
*   Safari 16.6.1

The updates may already have reached you in your regular update routines, but it doesn't hurt to check if your device is at the latest update level. If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

The Common Vulnerabilities and Exposures (CVE) database lists publicly disclosed computer security flaws. The CVEs patched in these updates are:

*   CVE-2023-41991, a certificate validation issue that could allow a malicious app to bypass signature validation.
*   CVE-2023-41992, a flaw that could be used by a local attacker to elevate their privileges.
*   CVE-2023-41993, a problem with processing web content that could be used for arbitrary code execution.

Apple states says that all these vulnerabilities may have been actively exploited against versions of iOS before iOS 16.7.

It’s important to note that CVE-2023-41993 is a vulnerability in WebKit. WebKit is the engine that powers the Safari web browser on Macs as well as all browsers on iOS and iPadOS (all web browsers on iOS and iPadOS are obliged to use it). It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

All three vulnerabilities were credited to the same researchers—Bill Marczak of The Citizen Lab at The University of Toronto's Munk School, and Maddie Stone of Google's Threat Analysis Group. The Citizen Lab is an interdisciplinary laboratory based at the Munk School of Global Affairs & Public Policy, University of Toronto, focusing on research and development at the intersection of information and communication technologies, human rights, and global security. It is renowned for its research of the use of spyware against journalists, activists, and dissidents.

About two weeks ago, we reported about two Apple issues that were added by CISA to its catalog of known exploited vulnerabilities. Those vulnerabilities were also discovered as zero-days by CitizenLab. Together, these two vulnerabilities were found to be used in an attack chain dubbed BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim and was reportedly used by the NSO Group to deliver the Pegasus spyware.

It is not hard to see how these three new vulnerabilities could be used to compromise a device just by viewing specially crafted malicious web content, so it’s highly recommended to install these updates at your earliest convenience, especially iPhone users with a high profile threat model.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

Emergency update! Apple patches three zero-days

Taskhub version 2.8.8 suffers from a cross site scripting vulnerability.

    ## Title: TASKHUB-2.8.8-XSS-Reflected## Author: nu11secur1ty## Date: 09/22/2023## Vendor: https://codecanyon.net/user/infinitietech## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874## Reference: https://portswigger.net/web-security/cross-site-scripting## Description:The value of the JSON parameter within the project parameter is copiedinto the HTML document as plain text between tags. The payloadvn5mr<img src=a onerror=alert(1)>i62kl was submitted in the JSONparameter within the project parameter. This input was echoedunmodified in the application's response. The already authenticated(by using a USER ACCOUNT)attacker can get a CSRF token and cookiesession it depends on the scenarios.STATUS: HIGH Vulnerability[+]Test exploit:```surw7%3Cscript%3Ealert(1)%3C%2fscript%3E```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html)## Time spent:01:10:00

Taskhub 2.8.8 Cross Site Scripting

The fix for XSA-423 added logic to Linux'es netback driver to deal with
a frontend splitting a packet in a way such that not all of the headers
would come in one piece.  Unfortunately the logic introduced there
didn't account for the extreme case of the entire packet being split
into as many pieces as permitted by the protocol, yet still being
smaller than the area that's specially dealt with to keep all (possible)
headers together.  Such an unusual packet would therefore trigger a
buffer overrun in the driver.


**Information**

Advisory

XSA-438

Public release

2023-09-19 12:00

Updated

2023-09-20 09:19

Version

2

CVE(s)

CVE-2023-34322

Title

top-level shadow reference dropped too early for 64-bit PV guests

**Files**advisory-438.txt (signed advisory file)  
xsa438.patch  
xsa438-4.15.patch  
xsa438-4.16.patch  
xsa438-4.17.patch**Advisory**

\-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

            Xen Security Advisory CVE-2023-34322 / XSA-438
                               version 2

   top-level shadow reference dropped too early for 64-bit PV guests

UPDATES IN VERSION 2
====================

Public release.

ISSUE DESCRIPTION
=================

For migration as well as to work around kernels unaware of L1TF (see
XSA-273), PV guests may be run in shadow paging mode.  Since Xen itself
needs to be mapped when PV guests run, Xen and shadowed PV guests run
directly the respective shadow page tables.  For 64-bit PV guests this
means running on the shadow of the guest root page table.

In the course of dealing with shortage of memory in the shadow pool
associated with a domain, shadows of page tables may be torn down.  This
tearing down may include the shadow root page table that the CPU in
question is presently running on.  While a precaution exists to
supposedly prevent the tearing down of the underlying live page table,
the time window covered by that precaution isn't large enough.

IMPACT
======

Privilege escalation, Denial of Service (DoS) affecting the entire host,
and information leaks all cannot be ruled out.

VULNERABLE SYSTEMS
==================

All Xen versions from at least 3.2 onwards are vulnerable.  Earlier
versions have not been inspected.

Only x86 systems are vulnerable.  Only 64-bit PV guests can leverage the
vulnerability, and only when running in shadow mode.  Shadow mode would
be in use when migrating guests or as a workaround for XSA-273 (L1TF).

MITIGATION
==========

Running only HVM or PVH guests will avoid the vulnerability.

Running PV guests in the PV shim will also avoid the vulnerability.

CREDITS
=======

This issue was discovered by Tim Deegan, and Jan Beulich of SUSE.

RESOLUTION
==========

Applying the appropriate attached patch resolves this issue.

Note that patches for released versions are generally prepared to
apply to the stable branches, and may not apply cleanly to the most
recent release tarball.  Downstreams are encouraged to update to the
tip of the stable branch before applying these patches.

xsa438.patch           xen-unstable
xsa438-4.17.patch      Xen 4.17.x
xsa438-4.16.patch      Xen 4.16.x
xsa438-4.15.patch      Xen 4.15.x

$ sha256sum xsa438\*
f30067fa3732fb52042b14a2836b610c29af47461425f1a1ccec21cb8a5a48b1  xsa438.patch
a2e7d7c12ea19fb95e2d825fda5f7d0124cbb5c4a369cb58ab6036d266b7e297  xsa438-4.15.patch
eb75fbeb4aa635d6104c12acd5f7311e477f7c159f2ec4eca8a345327a9aee24  xsa438-4.16.patch
f3a305c86124e48b9afa14f3ba76b81d1f5d8d472e2412ae3d014305c749a86a  xsa438-4.17.patch
$

DEPLOYMENT DURING EMBARGO
=========================

Deployment of the patches and/or mitigations described above (or
others which are substantially similar) is permitted during the
embargo, even on public-facing systems with untrusted guest users and
administrators.

But: Distribution of updated software is prohibited (except to other
members of the predisclosure list).

Predisclosure list members who wish to deploy significantly different
patches and/or mitigations, please contact the Xen Project Security
Team.

(Note: this during-embargo deployment notice is retained in
post-embargo publicly released Xen Project advisories, even though it
is then no longer applicable.  This is to enable the community to have
oversight of the Xen Project Security Team's decisionmaking.)

For more information about permissible uses of embargoed information,
consult the Xen Project community's agreed Security Policy:
  http://www.xenproject.org/security-policy.html
-----BEGIN PGP SIGNATURE-----

iQFABAEBCAAqFiEEI+MiLBRfRHX6gGCng/4UyVfoK9kFAmUKuSAMHHBncEB4ZW4u
b3JnAAoJEIP+FMlX6CvZtL0IAL3mXsj7Q5Xfu/Tof0a1ie7TnpvZ2qXxzoLlyiFR
Vra9gs83Nw7n45yXFFVLSzTjmz2bCbCmUowPp6TxF9Nawt0JocbF80JpYKEojEko
6B2BAdUFhPXtx1D6NruzG2gVr5qn/eNJjIIos0o7tzxtBPLKX9qzLh3FmZK5BJm2
HyKMLIEZuVipb3Qtb+avUDHvLjee6p4eaaWOk08g3sSWhtSfwxlS4IF9j1G2Oejj
QKZ1XILCP8miXmuUZJ/L/7CzFvOm+DKNVFZYhFT0fjDWk3vNhtLcBv5s36Z65gKK
MvKe7owffmclQLWjOekYNm8dG5gQ/OkWRAPbxiwRMegT22g=
=L3du
-----END PGP SIGNATURE-----

Xenproject.org Security Team

Tag

#ios