By Habiba Rashid
Citizens Lab and Microsoft have exposed an Israeli firm, QuaDream, selling spyware to governments around the world.
This is a post from HackRead.com Read the original post: QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks

**Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver spyware.**

A little-known cyber mercenary company, QuaDream, has been identified by researchers at Microsoft and digital rights group Citizen Lab as the creator of malware that was used to hack into the iPhones of journalists, political opposition figures, and an NGO worker.

QuaDream, an Israeli spyware maker, reportedly develops zero-click exploits, which are hacking tools that do not require the target to click on malicious links, for iPhones. The final payload of QuaDream’s malware includes recording phone calls, surreptitiously capturing audio using the phone’s microphone, taking pictures, stealing files, tracking the person’s granular location, and deleting forensic traces of its existence.

Credit: Citizen Lab

Citizen Lab’s report states that its researchers were able to trace QuaDream’s spyware by identifying particular marks left by the malware, which they have referred to as the “Ectoplasm Factor.” However, the researchers have decided not to disclose these marks to ensure their ability to track the malware in the future.

The researchers have identified more than five victims, including an NGO worker, politicians, and journalists, whose iPhones were hacked in Europe, North America, the Middle East, and Southeast Asia. However, the researchers have decided not to disclose the victims’ names, as they do not want to jeopardize their safety.

The fact that the victims are in different countries also makes it harder for them to come forward, according to a senior researcher at Citizen Lab.

Although QuaDream has managed to stay under the radar, Israeli newspaper Haaretz reported in 2021 that it sold its wares to Saudi Arabia. A year later, Reuters reported that QuaDream sold an exploit to hack iPhones, which is comparable to the one provided by NSO Group.

It’s important to note that QuaDream does not run the spyware itself, but rather its government customers operate it, which is a common practice in the surveillance technology sector.

According to internet scans conducted by Citizen Lab, QuaDream’s customers operated servers in several countries worldwide, including the following:

*   Israel
*   Ghana
*   Mexico
*   Bulgaria
*   Romania
*   Hungary
*   Singapore
*   Uzbekistan
*   Czech Republic
*   United Arab Emirates (UAE)

In a blog post, Microsoft labelled QuaDream as an Israel-based private sector offensive actor (PSOA) who sells REIGN, a suite of exploits to governments. This suite includes malware and infrastructure developed to exfiltrate data from targeted smartphones.

The exploit utilized by QuaDream was created for iOS 14 and was a zero-day vulnerability, meaning it was not yet fixed or known by Apple at the time. Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver the malware, which did not trigger a notification on the phone, making them invisible to the target.

QuaDream uses a Cyprus-based company called InReach to sell its products, according to Citizen Lab researchers, and this has been confirmed by a person who has worked in the spyware industry.

The discovery of QuaDream’s malware highlights once again that the spyware industry is not only made up of NSO Group but there are several other companies, most of which are still flying under the radar.

1.  Google spots spyware attack on Android and iOS
2.  NSO 0-click exploit hacks iPhones without clicking links
3.  Thai Activists’ iPhone Hacked by Israeli Pegasus Spyware
4.  Predator Spyware Using 0-day to Target Android Devices
5.  Hackers can Install Malware on iPhones even if Turned Off

I’m a student and cybersecurity writer. On a random Sunday, I am likely to be figuring out life and reading Kafka.

QuaDream: Israeli Cyber Mercenary Behind iPhone Hacks

An improper neutralization of input during web page generation vulnerability ('Cross-site Scripting') [CWE-79] in Fortinet FortiOS version 7.2.0 through 7.2.3, version 7.0.0 through 7.0.9, version 6.4.0 through 6.4.11 and before 6.2.12 and FortiProxy version 7.2.0 through 7.2.1 and before 7.0.7 allows an unauthenticated attacker to perform an XSS attack via crafted HTTP GET requests.

** PSIRT Advisories**

**FortiOS & FortiProxy - Cross Site Scripting vulnerabilities in administrative interface**

**Summary**

Multiple improper neutralization of input during web page generation ('Cross-site Scripting') vulnerabilities \[CWE-79\] in FortiOS & FortiProxy administrative interface may allow an unauthenticated attacker to perform an XSS attack via crafted HTTP or HTTPS GET requests.

**Affected Products**

FortiOS version 7.2.0 through 7.2.3  
FortiOS version 7.0.0 through 7.0.9  
FortiOS version 6.4.0 through 6.4.11  
FortiOS version 6.2.0 through 6.2.12  
FortiProxy version 7.2.0 through 7.2.1  
FortiProxy version 7.0.0 through 7.0.7

**Solutions**

Please upgrade to FortiProxy version 7.2.2 or above  
Please upgrade to FortiProxy version 7.0.8 or above  
Please upgrade to FortiOS version 7.2.4 or above  
Please upgrade to FortiOS version 7.0.10 or above  
Please upgrade to FortiOS version 6.4.12 or above  
Please upgrade to FortiOS version 6.2.13 or above

**Acknowledgement**

Internally discovered and reported by Théo Leleu of Fortinet Product Security team.

**Timeline**

2023-03-21: Initial publication

CVE-2022-41330: Fortiguard

A url redirection to untrusted site ('open redirect') in Fortinet FortiOS version 7.2.0 through 7.2.3, FortiOS version 7.0.0 through 7.0.9, FortiOS versions 6.4.0 through 6.4.12, FortiOS all versions 6.2, FortiOS all versions 6.0, FortiProxy version 7.2.0 through 7.2.2, FortiProxy version 7.0.0 through 7.0.8, FortiProxy all versions 2.0, FortiProxy all versions 1.2, FortiProxy all versions 1.1, FortiProxy all versions 1.0 allows an authenticated attacker to execute unauthorized code or commands via specially crafted requests.

** PSIRT Advisories**

**FortiOS & FortiProxy - Open redirect in sslvpnd**

**Summary**

A URL redirection to untrusted site ('Open Redirect') vulnerability \[CWE-601\] in FortiOS and FortiProxy sslvpnd may allow an authenticated attacker to redirect users to any arbitrary website via a crafted URL.

**Affected Products**

FortiOS version 7.2.0 through 7.2.3  
FortiOS version 7.0.0 through 7.0.9  
FortiOS version 6.4.0 through 6.4.12  
FortiOS all versions 6.2, 6.0  
FortiProxy version 7.2.0 through 7.2.2  
FortiProxy version 7.0.0 through 7.0.8  
FortiProxy all versions 2.0, 1.2, 1.1, 1.0

**Solutions**

Please upgrade to FortiProxy version 7.2.3 or above  
Please upgrade to FortiProxy version 7.0.9 or above  
Please upgrade to FortiOS version 7.2.4 or above  
Please upgrade to FortiOS version 7.0.10 or above  
Please upgrade to FortiOS version 6.4.13 or above

**Acknowledgement**

Internally discovered and reported by Gwendal Guégniaud of Fortinet Product Security team.

**Timeline**

2023-03-23: Initial publication

CVE-2023-22641: Fortiguard

An improper restriction of excessive authentication attempts vulnerability [CWE-307] in Fortinet FortiOS version 7.2.0 through 7.2.3 and before 7.0.10, FortiProxy version 7.2.0 through 7.2.2 and before 7.0.8 administrative interface allows an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

** PSIRT Advisories**

**FortiOS & FortiProxy - Anti brute-force bypass in administrative interface**

**Summary**

An improper restriction of excessive authentication attempts vulnerability \[CWE-307\] in FortiOS & FortiProxy administrative interface may allow an attacker with a valid user account to perform brute-force attacks on other user accounts via injecting valid login sessions.

**Affected Products**

FortiProxy version 7.2.0 through 7.2.1  
FortiProxy version 7.0.0 through 7.0.7  
FortiProxy 2.0 all versions  
FortiProxy 1.2 all versions  
FortiProxy 1.1 all versions  
FortiProxy 1.0 all versions  
FortiOS version 7.2.0 through 7.2.3  
FortiOS version 7.0.0 through 7.0.10  
FortiOS version 6.4.0 through 6.4.12  
FortiOS 6.2 all versions

**Solutions**

Please upgrade to FortiProxy version 7.2.2 or above  
Please upgrade to FortiProxy version 7.0.8 or above  
Please upgrade to FortiOS version 7.2.4 or above  
Please upgrade to FortiOS version 7.0.11 or above  
Please upgrade to FortiOS version 6.4.13 or above

**Acknowledgement**

Internally discovered and reported by Goutham Rukmasah from Fortinet's FortiGuard Labs .

**Timeline**

2023-03-21: Initial publication

CVE-2022-43947: Fortiguard

Apple Security Advisory 2023-04-10-3 - macOS Big Sur 11.7.6 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-3 macOS Big Sur 11.7.6macOS Big Sur 11.7.6 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213725.IOSurfaceAcceleratorAvailable for: macOS Big SurImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Big Sur 11.7.6 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkW2Q//bj0ZmcXsCzpQmhCc5hZ+P4cnesy9Kc4DRLofsYBtPVlR450wIjxiGqlUkpbLBWpBXaXn4EeBoqxxXB9FKXANvZVkdS+xpTLdHpdPnRMntJf3S4WiYyDr/G3coHVtHbNMbj/K/MbsRGBefVtGAueLpwwHFN5GsyvuMrp5xEl9wgQ3aMfi+x8hHXuFzxHIHyNf6OU5cBSf6R80FQcV55eOjPe9gX1B59n4ffZtaao3QqT+z++wA64eyVCVk9hSWXYsMKBNgcoyh108DHb6aYfr0G6SvcvzX2zR2zJtL0JFDNckHx/nvAws/Sd5O39oHzvS46gNcYZIHujHbemh/DsFJjgKbOd4O9oLyJeAcVjv0c5i61Qa+odERpvX2bJR8xWLlDGYIV5XmGYzxL8lksDim9hD2IOGf6P7ReARUcpahe9jaAIoj+BoFkKUMvr8iORx0752+3h+dMej1nu/1RhjmeWYawbUsH+yECu0L2GkQc0I9gFg0Dq21OFlHEfB46D+XRTWYWkM6l9KPMNcH1PX74d86ZkuqqMzlKmsRdJz0ESepIj6RzQ3Zy5SvZ63C78RJvWGPeg/8rQFIBQE9WktUoPz5+6bU/E1nq8ExbrTXxJKvt/VseIwBTi08UfQ2oYnyyAirIkTRi9PH5pviXBu9r/AiBYSj9J88QBzrV8QXHw==Lq+b-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-3

Apple Security Advisory 2023-04-10-1 - iOS 15.7.5 and iPadOS 15.7.5 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-1 iOS 15.7.5 and iPadOS 15.7.5iOS 15.7.5 and iPadOS 15.7.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213723.IOSurfaceAcceleratorAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 6s (all models), iPhone 7 (all models), iPhoneSE (1st generation), iPad Air 2, iPad mini (4th generation), and iPodtouch (7th generation)Impact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 15.7.5 and iPadOS 15.7.5".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJEACgkQ4RjMIDkeNxnSrA/9GfJGP3rEWjtK1bSWO5XgjPZIN8xZcYAT2zQCHNM/CREylHDWSoamyMsxsUFkc25u0ok7Ucoj5k+44WXT7bhRqK52H5PDP6b0n3KsUnhJo+up6+AlKgqgomWntzQyjYTe36nArMvHkMAy9car/kj0l6OBAFF2pVXSTU24ubQfYOtAppQp3JNU9UnqhJ/VrQCANwvjHIsdy+EximByL3+tdCTzRi1v5SC4ZntHP0vB66YwFgrkaxmWLa/EXrA9tgJr8YX6k7LUc0MMUJSkcMg7ydojFBeVgHCVdH2rJpL8w6eVrpW7MQ5wcp6XrDm23T1lckVT8WL+LL4414gBjkfOyjjntdllGiH5For84t76bUGYDs6pb69Ztv2uAMRRP8nJAgNpsP++EnEaI0U3jMoEbq0xCv64y/EenkZm3kuTwOeo7l5Q5WzTDJTsdqZMnP+tR7nhCu41UIKN8eOelp/BqRT/4wcT8fvTNLgg/oY6TUPHYydQO48+ZjiBaryn7oXcv+EaDdggkySniijiLI4Dol20J0SHUr6LHOM6AiiMWhz5ZeIawaLcLfw/oP5+U1tio3dPeeTCwjr9hY8BB/a2rPq6UkAuReAS3ZU+b1N5swaVRYaZb41bfW5rfI571XS42mjoCCGJP8TdXk8mWeZgdvAKdLCYbIW2taTPVRhtGwE==DG1t-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-1

Apple Security Advisory 2023-04-10-2 - macOS Monterey 12.6.5 addresses code execution and out of bounds write vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-10-2 macOS Monterey 12.6.5macOS Monterey 12.6.5 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213724.IOSurfaceAcceleratorAvailable for: macOS MontereyImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabmacOS Monterey 12.6.5 may be obtained from the Mac App Store orApple's Software Downloads web site:https://support.apple.com/downloads/All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQ0VJIACgkQ4RjMIDkeNxkpjhAAwMSbbqdMyODDeaYJhALWUoFTVp90hcduPLHYeYEZISeQg6taWYCrbFs6XVmtw65pEjCUOUfw7yIqkWGXy4XVwo4DhBBqxUwUNZyIv16uNEgCl9bqfQKKXyii4269rCBWhlhXyen1zv/1OSMEF5dlVVf4C55cmdx2ta+th/0jCXsd9Oe4aVgDOucDg2cItZ0Aht+2AStmeBi7wKoP0XgqLVtJcHofls7O/G0DW9YVkroxyfTizf1Fd4J+O4AjYYvA0P6Jrkm7jAI+64IlHrMukxkSiD43KNCG/PhVdHO6YLXhIm9a1ziEjSaA7EGw/bYQGI2HCmbu/gSMuXlHe4Uc8OnGdRMGceV4JHD9qjQUS9/Sh/58+oa609mLvWW+VBMJXQlWOYH4hrTlGiNSfCkQa2yqkCtpk4nfTkd51y8V1x3XvlFE8092Z2XnaEz0KzebfS5dgZiLKK0Tc0Kg8tJJi7KDRnjslCnu6Ove6aYW8Jm/Mh5NPWh6b9ZAkaynZ5kyEoLzutCa10riKH1uEQCLXLWMkiswz8vbEq8uyLKRBEuZOXxstoPEQBwgwh7nahcbCBjKH89CAj+Q541x00OHIYJNL1xmfT2bhb33Bm/U5aNhLuJqkYC9LrI6Xz+lPe9T8crHtIL//NsevkOIkWEyqMk0fbJJ6KHDkq4Aj5c7jWM==Iilf-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-10-2

Apple Security Advisory 2023-04-07-2 - macOS Ventura 13.3.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-04-07-2 macOS Ventura 13.3.1

macOS Ventura 13.3.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT213721.

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges. Apple is aware of a report that this issue may have been  
actively exploited.  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

WebKit  
Available for: macOS Ventura  
Impact: Processing maliciously crafted web content may lead to  
arbitrary code execution. Apple is aware of a report that this issue  
may have been actively exploited.  
Description: A use after free issue was addressed with improved  
memory management.  
WebKit Bugzilla: 254797  
CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group and  
Donncha Ó Cearbhaill of Amnesty International’s Security Lab

macOS Ventura 13.3.1 may be obtained from the Mac App Store or  
Apple's Software Downloads web site:  
https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYrsACgkQ4RjMIDke  
Nxlhmw/9GYfPKf/wprkK1e3/sflihNqz+/qJioE7p9oNHSvPx1b5VT2ovKMOGtsD  
8AG9qzF9DsWbFFybg7gIPAjQdb8tAiipm1xJYvyqLUpD1bJFlMIB+mRqs2OFUSgF  
0p9huSBVOGasGjcHRq9g2016OJQBr/oAA3w86Re/6Q5ST2AQCc7Y3lPcebJ+2JTp  
jSU2zfnNWg3+mRL0VMleh/ZnY2+yGce7r+uaoYzDz7MULGN8/j9nYoFUbDEbgf/y  
CnCAlJdMFuW98z3Iv7U+oUP5iF2PCzIR5nfaHcoXVaZUd0H52RLyrVKvm0iV4viq  
16SNGc7hl+Si9HDsRFN+XVvQoT4r+k5yzT78Ss3iLXYyR5XOf3Xi8sZdK0eXkDmk  
Ynrv5Y+st1M550EPlAOhsO8GAAWTsHWHOxmw76DX6kbUBaEOyYMRrKhG/AYP5Djg  
ZJlIIHsdNw99wEMUVBHCXtnWEY0aO7zaHpEl5tIr6r5xJep/idO8DjD6KpxmLDT8  
ftqB/fUloaVhTht6WMYaupXn4sG/U0228v8inculiFAKWeJ9vxyWF1doEGQNErFj  
xEUSsV10u1BjXf52Wle777lbS0ro31nv2pRWVfaT8j3dpTCZvDvUVclK5AAUPlKR  
tffpSuN9DHiPEynRftyBmi431MfXLI1CgYAC0w/rRYQ/pzc9NeI=  
=nsPp  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-2

Apple Security Advisory 2023-04-07-1 - iOS 16.4.1 and iPadOS 16.4.1 addresses code execution, out of bounds write, and use-after-free vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-04-07-1 iOS 16.4.1 and iPadOS 16.4.1iOS 16.4.1 and iPadOS 16.4.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/HT213720.IOSurfaceAcceleratorAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: An app may be able to execute arbitrary code with kernelprivileges. Apple is aware of a report that this issue may have beenactively exploited.Description: An out-of-bounds write issue was addressed with improvedinput validation.CVE-2023-28206: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air3rd generation and later, iPad 5th generation and later, and iPadmini 5th generation and laterImpact: Processing maliciously crafted web content may lead toarbitrary code execution. Apple is aware of a report that this issuemay have been actively exploited.Description: A use after free issue was addressed with improvedmemory management.WebKit Bugzilla: 254797CVE-2023-28205: Clément Lecigne of Google's Threat Analysis Group andDonncha Ó Cearbhaill of Amnesty International’s Security LabThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.4.1 and iPadOS 16.4.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmQwYroACgkQ4RjMIDkeNxk/Iw/9GD1PXcIq1OFLv/N8t8bEqTUhuDqbFdQ3NLcbzmSO+XnoueqvlYvXtJr/w0wv0yAo6lxkLODuI+kVX9hjbqHZzUezCkugzvz4TXWgmQI6V7+TKXC9KA7jGxH6ZUMf1a+u+0jkFRUEUsaUHxOvScSVAmw2hlJvIlnYyK/E6O5ZJrua1cBQ2pQX2hlDIYUJaNZy3E9MlSKzZclDIszckvO1yVkfEzOkdh8laZoHQ3zN+QfKXvb9IoMmO715gaNYHoO141d0RqL5nyegu4e5lYb951o0DGph2usCrCrpFD0sSquAKNriwV5tJ/DPlrStMnktYX8iogCBT/T2/AevAmrdPOil7A/2rX5pSNRifnYdAnku8FdF2zxqKdMRt10fwI4YOl2IADKz/khPtig5fcYIwcpkXgavQ0N738hg4ugF9K18S5IdY2RSTN1SQtfRjWKus6I7MgGtdIp7MW1koB/j0bF6b5Xw9GefweUzSNvn+EZT2jVLHfiD/ILkKph/QXeiQfe3VGHOs89mHY750QmuAiAT9v24IkCfni5uvrRmApJiBB8w8Hnhq1aJa+09fxiVfPwVTrKqauI5cL2p0D9iWcjlWC8W1rJR5gO2Ge8twfgbMVCXfXmD9WhEb5Z6vSNlpJLy7xXSJTn4fnJNNgJ46lmKeU+G5I2/8xP8VWrsPks==83T6-----END PGP SIGNATURE-----

Apple Security Advisory 2023-04-07-1

A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.
"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and

Cloud Security / Data Security

A "by-design flaw" uncovered in Microsoft Azure could be exploited by attackers to gain access to storage accounts, move laterally in the environment, and even execute remote code.

"It is possible to abuse and leverage Microsoft Storage Accounts by manipulating Azure Functions to steal access-tokens of higher privilege identities, move laterally, potentially access critical business assets, and execute remote code (RCE)," Orca said in a new report shared with The Hacker News.

The exploitation path that underpins this attack is a mechanism called Shared Key authorization, which is enabled by default on storage accounts.

According to Microsoft, Azure generates two 512-bit storage account access keys when creating a storage account. These keys can be used to authorize access to data via Shared Key authorization, or via SAS tokens that are signed with the shared key.

"Storage account access keys provide full access to the configuration of a storage account, as well as the data," Microsoft notes in its documentation. "Access to the shared key grants a user full access to a storage account's configuration and its data."

The cloud security firm said these access tokens can be stolen by manipulating Azure Functions, potentially enabling a threat actor with access to an account with Storage Account Contributor role to escalate privileges and take over systems.

Specifically, should a managed identity be used to invoke the Function app, it could be abused to execute any command. This, in turn, is made possible owing to the fact that a dedicated storage account is created when deploying an Azure Function app.

"Once an attacker locates the storage account of a Function app that is assigned with a strong managed identity, it can run code on its behalf and as a result acquire a subscription privilege escalation (PE)," Orca researcher Roi Nisimi said.

UPCOMING WEBINAR

Learn to Secure the Identity Perimeter - Proven Strategies

Improve your business security with our upcoming expert-led cybersecurity webinar: Explore Identity Perimeter strategies!

Don't Miss Out – Save Your Seat!

In other words, by exfiltrating the access-token of the Azure Function app's assigned managed identity to a remote server, a threat actor can elevate privileges, move laterally, access new resources, and execute a reverse shell on virtual machines.

"By overriding function files in storage accounts, an attacker can steal and exfiltrate a higher-privileged identity and use it to move laterally, exploit and compromise victims' most valuable crown jewels," Nisimi explained.

As mitigations, it's recommended that organizations consider disabling Azure Shared Key authorization and using Azure Active Directory authentication instead. In a coordinated disclosure, Microsoft said it "plans to update how Functions client tools work with storage accounts."

"This includes changes to better support scenarios using identity. After identity-based connections for AzureWebJobsStorage are generally available and the new experiences are validated, identity will become the default mode for AzureWebJobsStorage, which is intended to move away from shared key authorization," the tech giant further added.

The findings arrive weeks after Microsoft patched a misconfiguration issue impacting Azure Active Directory that made it possible to tamper with Bing search results and a reflected XSS vulnerability in Azure Service Fabric Explorer (SFX) that could lead to unauthenticated remote code execution.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#ios