ZecOps extends Jamf's mobile security capabilities by adding advanced detections and incident response.

**MINNEAPOLIS, Sept. 26, 2022 (GLOBE NEWSWIRE) —** Jamf (NASDAQ: JAMF), the standard in Apple Enterprise Management, today announced it signed a definitive agreement to acquire ZecOps Inc., a leader in mobile detection and response.

This acquisition uniquely positions Jamf to help IT and security teams strengthen their organization's mobile security posture, accelerating mobile security investigations from weeks to minutes, leverage known indicators of compromise (IOC) at-scale, and identify sophisticated 0- or 1-click attacks on a much deeper scale.

"I am very excited to bring ZecOps' market-leading advanced mobile detection and response capabilities into the Jamf platform," said Dean Hager, CEO, Jamf. "We believe ZecOps has built a differentiated solution that meets a very important need for many organizations — the ability to thoroughly detect and investigate threats that target mobile users so they can confidently use these powerful devices for work. This capability further propels our goal of continuing to bridge the gap between what Apple provides and the enterprise requires."

Mobile devices now account for 59% of global website traffic, and according to the 2022 Verizon Mobile Security Index, close to half (45%) of companies said that they have suffered a compromise involving a mobile device in the past 12 months.

ZecOps will bring important capabilities to the Jamf platform to help address the growing trend of targeted mobile attacks. Jamf offers robust management and mobile security capabilities for iOS devices; however, access to deeper insights into potential security exploits is technically challenging and requires physical access to the device, which is difficult in a remote work environment. ZecOps is a robust, unparalleled solution that provides the deepest layer of insight and assurance for security-conscious customers with high-value targets that need something more. ZecOps provides the same level of visibility currently available for macOS through Jamf Protect but for iOS, making it capable of detecting the kinds of sophisticated mobile threats that Apple's Lockdown mode aims to prevent. With ZecOps, users can have both Lockdown mode and ZecOps software operating at the same time.

**Advanced threat hunting on mobile devices**  
Advanced protection of mobile devices requires a layered approach. Proactive investigation and analysis complement device management and mobile threat defense for more advanced detections and preventative protections. ZecOps enables advanced threat hunting by capturing and analyzing logs from iOS and Android devices at the operating system layer, allowing security operations and incident response teams to perform automatic or on-demand mobile cyber investigations.

**Digital forensics and incident response**  
Security teams are already drowning in data. Event logs, analyst reports, third-party threat intelligence feeds, and more are produced regularly for applications, endpoints, and network infrastructure. Mobile has historically been left out of this data feed. Many investigation teams lack expertise in modern mobile platforms. ZecOps' sophisticated digital forensics capabilities provides Security Operation Center (SOC) teams with unique mobile threat intelligence to uncover zero-day attacks. ZecOps does the heavy lifting for SOC teams, saving months of work per investigation. The solution automatically constructs a timeline of suspicious events and indicators of compromise to demonstrate when and how a device was impacted.

**Privacy conscious**  
Data privacy is extremely important to Jamf. ZecOps shares Jamf's commitment to safeguarding user data by ensuring log collection doesn't include the user's material personal data such as photos, videos, text messages and call logs, and only leveraging low-level system information and diagnostics data to the cloud for analysis. ZecOps analysis can also take place on-premises to meet various organizations' and governments data privacy requirements.

"We founded ZecOps to catch hidden 0-click and 1-click attacks," said Zuk Avraham, co-founder and CEO, ZecOps. "By combining with Jamf, we can offer our customers a truly powerful mobile threat intelligence and threat hunting capabilities that will keep up with the evolving threat landscape without compromising the user experience."

This transaction is subject to the satisfaction of customary closing conditions and is expected to close in the fourth quarter. Terms of the transaction were not disclosed.

**About Jamf**  
Jamf's purpose is to simplify work by helping organizations manage and secure an Apple experience that end users love and organizations trust. Jamf is the only company in the world that provides a complete management and security solution for an Apple-first environment that is enterprise secure, consumer simple and protects personal privacy. To learn more, visit www.jamf.com.

**About ZecOps**  
ZecOps develops the world's most powerful platform to discover and analyze mobile cyber attacks. Used by world-leading enterprises, governments and individuals globally, ZecOps Mobile Detection and Response platform provides a realistic and scalable approach to mobile threat hunting. ZecOps enables automated discovery of 0-day attacks and Advanced Persistent Threats (APTs), delivering anti cyber-espionage capabilities within minutes.

**Forward-Looking Statements**  
This release relates to a pending acquisition of ZecOps, Inc. ("ZecOps") by Jamf Holding Corp. ("Jamf", "we", our" or "us"). This release contains forward-looking statements within the meaning of the "safe harbor" provisions of the Private Securities Litigation Reform Act of 1995, regarding the anticipated benefits of the acquisition, and the anticipated impacts of the acquisition on our business, products, financial results, and other aspects of our and ZecOps' operations. You can identify forward-looking statements by the fact that they do not relate strictly to historical or current facts. These statements may include words such as "anticipate," "estimate," "expect," "project," "plan," "intend," "believe," "may," "will," "should," "can have," "likely," and other words and terms of similar meaning in connection with any discussion of the timing or nature of future operating or financial performance or other events. These risks, uncertainties, assumptions, and other factors include, but are not limited to: the effect of the announcement of the acquisition on the ability of Jamf or ZecOps to retain key personnel or maintain relationships with customers, vendors, developers, community members, and other business partners; risks that the acquisition disrupts current plans and operations; the ability of the parties to consummate the acquisition on a timely basis or at all; the satisfaction of the conditions precedent to consummation of the acquisition; our ability to successfully integrate ZecOps' operations; our and ZecOps' ability to execute on our business strategies relating to the acquisition and realize expected benefits and synergies; and our ability to compete effectively, including in response to actions our competitors may take following announcement of the acquisition. Further information on these and additional risks, uncertainties, and other factors that could cause actual outcomes and results to differ materially from those included in or contemplated by the forward-looking statements contained in this release are included under the caption "Forward-Looking Statements" and elsewhere in our Form 10-Q for the quarter ended June 30, 2022, and other filings and reports we make with the Securities and Exchange Commission from time to time. Moreover, both we and ZecOps operate in a very competitive and rapidly changing environment, and new risks may emerge from time to time. It is not possible for us to predict all risks, nor can we assess the impact of all factors on our business or the acquisition, or the extent to which any factor, or combination of factors, may cause actual results or outcomes to differ materially from those contained in any forward-looking statements we may make. Forward-looking statements speak only as of the date the statements are made and are based on information available to us at the time those statements are made and/or our management's good faith belief as of that time with respect to future events. Except as required by law, we undertake no obligation, and do not intend, to update these forward-looking statements.

SOURCE: Jamf

Jamf Announces Intent to Acquire ZecOps, to Provide a Market-Leading Security Solution for Mobile Devices as Targeted Attacks Continue to Grow

Categories: News
Categories: Scams
The Federal Communications Commission wants mobile carriers to block spam texts at the network level.



(Read more...)




The post FCC moves to block robotexts appeared first on Malwarebytes Labs.

> The American people are fed up with scam texts, and we need to use every tool we have to do something about it.

This is what Jessica Rosenworcel, Chairwoman of the US Federal Communications Commission (FCC) said after releasing a plan that will require mobile carriers to block "robotext" text messages. Just last month, the FCC warned of a steep rise in phishing over SMS (also known as smishing or robotexts). Rosenworcel:

> Recently, scam text messaging has become a growing threat to consumers' wallets and privacy. More can be done to address this growing problem and today we are formally starting an effort to take a serious, comprehensive, and fresh look at our policies for fighting unwanted robotexts.

The plan, known as a Notice of Proposed Rulemaking (NPRM), wants mobile wireless providers to "block texts, at the network level, that purport to be from invalid, unallocated, or unused numbers, and numbers on a Do-Not-Originate (DNO) list". Such texts are deemed "highly likely to be illegal".

The FCC is seeking comment on the proposed rules and, more generally, on the problem of robotexts: "We also seek comment on the extent to which spoofing is a problem with regard to text messaging today and whether there are measures the commission can take to encourage providers to identify and block texts that appear to come from spoofed numbers."

The NPRM isn't a new proposition. In fact, Rosenworcel circulated this to commissioners in October 2021, but to outside observers it seems to have sat idle for almost a year. The problem of robotexts is _huge_, so the lack of urgency is a concern.

When Ars Technica questioned commissioners about when they voted, FCC member Brendan Carr said in an email: "This is a good item, and I'm hoping the FCC moves quickly to an order on it. I can tell you that I was not dragging \[my\] feet on it."

Robotexts can be anything from annoying to outright harmful, creating opportunities for threat actors to steal data from victims and even infect them with malware. Here is how the FCC describes the risks of robotexts:

> Texts can include links to well-designed phishing websites that appear identical to the website of a legitimate company and fool a victim into providing personal or financial information. Texted links can also load unwanted software, including malware that steals passwords and other credentials, onto a device. Scam texts, like scam calls, may involve illegal caller ID spoofing, i.e., falsifying the caller ID information that appears on the called party's phone with the intent to defraud, cause harm, or wrongfully obtain something of value. In 2020, scammers stole over $86 million through spam texting fraud schemes. The median amount stolen from consumers in such scams was $800.

Be on the lookout for scam or spam text red flags. Ask yourself:

*   Does it come from an unknown number?
*   Does the message give you misleading or incomplete information? 
*   Does the message contain grammar or spelling errors, mysterious links, or sales pitches?

If your SMS tick any of these boxes, the FCC advises you:

*   Don't respond, even if it tells you to text back "STOP" to stop the messages
*   Don't click links
*   Don't give senders any information they ask for
*   Forward it to SPAM (7726)
*   File a complaint
*   Delete the SMS

The FCC further adds the following to keep yourself, your data, and your mobile devices secure.

*   Install reliable security software on your Android or iOS devices.
*   Keep all your software updated.
*   Consider opting into SMS blocking features your mobile carrier is offering.

Stay safe!

FCC moves to block robotexts

The “Bytebase” application does not restrict low privilege user to access admin “projects“ for which an unauthorized user can view the “projects“ created by “Admin” and the affected endpoint is “/api/project?user=${userId}”.

import { defineStore } from "pinia"; import axios from "axios"; import { empty, EMPTY\_ID, MemberId, PrincipalId, Project, ProjectCreate, ProjectId, ProjectMember, ProjectMemberCreate, ProjectMemberPatch, ProjectPatch, ProjectState, ResourceIdentifier, ResourceObject, RowStatus, unknown, } from "@/types"; import { getPrincipalFromIncludedList } from "./principal"; function convert( project: ResourceObject, includedList: ResourceObject\[\] ): Project { const attrs \= project.attributes as Omit< Project, "id" | "memberList" | "creator" | "updater" \>; // Only able to assign an empty member list, otherwise would cause circular dependency. // This should be fine as we shouldn't access member via member.project.memberList const projectWithoutMemberList: Project \= { id: parseInt(project.id), rowStatus: attrs.rowStatus, name: attrs.name, key: attrs.key, creator: getPrincipalFromIncludedList( project.relationships!.creator.data, includedList ), updater: getPrincipalFromIncludedList( project.relationships!.updater.data, includedList ), createdTs: attrs.createdTs, updatedTs: attrs.updatedTs, memberList: \[\], workflowType: attrs.workflowType, visibility: attrs.visibility, tenantMode: attrs.tenantMode, dbNameTemplate: attrs.dbNameTemplate, roleProvider: attrs.roleProvider, }; const memberList: ProjectMember\[\] \= \[\]; for (const item of includedList || \[\]) { if (item.type \== "projectMember") { const projectMemberIdList \= project.relationships!.projectMember .data as ResourceIdentifier\[\]; for (const idItem of projectMemberIdList) { if (idItem.id \== item.id) { const member \= convertMember(item, includedList); member.project \= projectWithoutMemberList; memberList.push(member); } } } } // sort the member list memberList.sort((a: ProjectMember, b: ProjectMember) \=> { if (a.createdTs \=== b.createdTs) { return a.id \- b.id; } return a.createdTs \- b.createdTs; }); return { ...(projectWithoutMemberList as Omit<Project, "memberList"\>), memberList, }; } // For now, this is exclusively used as part of converting the Project. // Upon calling, the project itself is not constructed yet, so we return // an unknown project first. function convertMember( projectMember: ResourceObject, includedList: ResourceObject\[\] ): ProjectMember { const attrs \= projectMember.attributes as Omit< ProjectMember, "id" | "project" \>; return { id: parseInt(projectMember.id), project: unknown("PROJECT") as Project, creator: getPrincipalFromIncludedList( projectMember.relationships!.creator.data, includedList ), updater: getPrincipalFromIncludedList( projectMember.relationships!.updater.data, includedList ), createdTs: attrs.createdTs, updatedTs: attrs.updatedTs, role: attrs.role, principal: getPrincipalFromIncludedList( projectMember.relationships!.principal.data, includedList ), roleProvider: attrs.roleProvider, payload: JSON.parse((attrs.payload as unknown as string) || "{}"), }; } export const useProjectStore \= defineStore("project", { state: (): ProjectState \=> ({ projectById: new Map(), }), actions: { convert(instance: ResourceObject, includedList: ResourceObject\[\]): Project { return convert(instance, includedList || \[\]); }, getProjectListByUser( userId: PrincipalId, rowStatusList?: RowStatus\[\] ): Project\[\] { const result: Project\[\] \= \[\]; for (const \[\_, project\] of this.projectById) { if ( (!rowStatusList && project.rowStatus \== "NORMAL") || (rowStatusList && rowStatusList.includes(project.rowStatus)) ) { for (const member of project.memberList) { if (member.principal.id \== userId) { result.push(project); break; } } } } return result; }, getProjectById(projectId: ProjectId): Project { if (projectId \== EMPTY\_ID) { return empty("PROJECT") as Project; } return this.projectById.get(projectId) || (unknown("PROJECT") as Project); }, async fetchAllProjectList() { const data \= (await axios.get(\`/api/project\`)).data; const projectList \= data.data.map((project: ResourceObject) \=> { return convert(project, data.included); }); this.upsertProjectList(projectList); return projectList; }, async fetchProjectListByUser({ userId, rowStatusList \= \[\], }: { userId: PrincipalId; rowStatusList?: RowStatus\[\]; }) { const projectList: Project\[\] \= \[\]; const fetchProjectList \= async (rowStatus?: RowStatus) \=> { let path \= \`/api/project?user=${userId}\`; if (rowStatus) path += \`&rowstatus=${rowStatus}\`; const data \= (await axios.get(path)).data; const list: Project\[\] \= data.data.map((project: ResourceObject) \=> { return convert(project, data.included); }); // projects are mutual excluded by different rowstatus // so we don't need to unique them by id here projectList.push(...list); }; if (rowStatusList.length \=== 0) { // if no rowStatus specified, fetch all await fetchProjectList(); } else { // otherwise, fetch different rowStatus one-by-one for (const rowStatus of rowStatusList) { await fetchProjectList(rowStatus); } } this.upsertProjectList(projectList); return projectList; }, async fetchProjectById(projectId: ProjectId) { const data \= (await axios.get(\`/api/project/${projectId}\`)).data; const project \= convert(data.data, data.included); this.setProjectById({ projectId, project, }); return project; }, async createProject(newProject: ProjectCreate) { const data \= ( await axios.post(\`/api/project\`, { data: { type: "ProjectCreate", attributes: newProject, }, }) ).data; const createdProject \= convert(data.data, data.included); this.setProjectById({ projectId: createdProject.id, project: createdProject, }); return createdProject; }, async patchProject({ projectId, projectPatch, }: { projectId: ProjectId; projectPatch: ProjectPatch; }) { const data \= ( await axios.patch(\`/api/project/${projectId}\`, { data: { type: "projectPatch", attributes: projectPatch, }, }) ).data; const updatedProject \= convert(data.data, data.included); this.setProjectById({ projectId, project: updatedProject, }); return updatedProject; }, // sync member role from vcs async syncMemberRoleFromVCS({ projectId }: { projectId: ProjectId }) { await axios.post(\`/api/project/${projectId}/sync-member\`); const updatedProject \= await this.fetchProjectById(projectId); return updatedProject; }, // Project Role Mapping // Returns existing member if the principalId has already been created. async createdMember({ projectId, projectMember, }: { projectId: ProjectId; projectMember: ProjectMemberCreate; }) { await axios.post(\`/api/project/${projectId}/member\`, { data: { type: "projectMemberCreate", attributes: projectMember, }, }); const updatedProject \= await this.fetchProjectById(projectId); return updatedProject; }, async patchMember({ projectId, memberId, projectMemberPatch, }: { projectId: ProjectId; memberId: MemberId; projectMemberPatch: ProjectMemberPatch; }) { await axios.patch(\`/api/project/${projectId}/member/${memberId}\`, { data: { type: "projectMemberPatch", attributes: projectMemberPatch, }, }); const updatedProject \= await this.fetchProjectById(projectId); return updatedProject; }, async deleteMember(member: ProjectMember) { await axios.delete( \`/api/project/${member.project.id}/member/${member.id}\` ); const updatedProject \= await this.fetchProjectById(member.project.id); return updatedProject; }, setProjectById({ projectId, project, }: { projectId: ProjectId; project: Project; }) { this.projectById.set(projectId, project); }, upsertProjectList(projectList: Project\[\]) { for (const project of projectList) { this.projectById.set(project.id, project); } }, }, });

CVE-2022-32170: bytebase/project.ts at 1.0.4 · bytebase/bytebase

The “Bytebase” application does not restrict low privilege user to access “admin issues“ for which an unauthorized user can view the “OPEN” and “CLOSED” issues by “Admin” and the affected endpoint is “/issue”.

import { defineStore } from "pinia"; import axios from "axios"; import { empty, EMPTY\_ID, Issue, IssueCreate, IssueId, IssuePatch, IssueState, IssueStatus, IssueStatusPatch, Pipeline, Principal, PrincipalId, Project, ProjectId, ResourceIdentifier, ResourceObject, unknown, } from "@/types"; import { getPrincipalFromIncludedList } from "./principal"; import { useActivityStore } from "./activity"; import { useDatabaseStore } from "./database"; import { useInstanceStore } from "./instance"; import { usePipelineStore } from "./pipeline"; import { useProjectStore } from "./project"; function convert(issue: ResourceObject, includedList: ResourceObject\[\]): Issue { const projectId \= (issue.relationships!.project.data as ResourceIdentifier) .id; let project: Project \= unknown("PROJECT") as Project; project.id \= parseInt(projectId); const pipelineId \= (issue.relationships!.pipeline.data as ResourceIdentifier) .id; let pipeline \= unknown("PIPELINE") as Pipeline; pipeline.id \= parseInt(pipelineId); const projectStore \= useProjectStore(); const pipelineStore \= usePipelineStore(); for (const item of includedList || \[\]) { if ( item.type \== "project" && (issue.relationships!.project.data as ResourceIdentifier).id \== item.id ) { project \= projectStore.convert(item, includedList || \[\]); } if ( item.type \== "pipeline" && issue.relationships!.pipeline.data && (issue.relationships!.pipeline.data as ResourceIdentifier).id \== item.id ) { pipeline \= pipelineStore.convert(item, includedList); } } const subscriberList \= \[\] as Principal\[\]; if (issue.relationships!.subscriberList.data) { for (const subscriberData of issue.relationships!.subscriberList .data as ResourceIdentifier\[\]) { subscriberList.push( getPrincipalFromIncludedList(subscriberData, includedList) ); } } return { ...(issue.attributes as Omit< Issue, "id" | "project" | "creator" | "updater" | "assignee" | "subscriberList" \>), id: parseInt(issue.id), creator: getPrincipalFromIncludedList( issue.relationships!.creator.data, includedList ), updater: getPrincipalFromIncludedList( issue.relationships!.updater.data, includedList ), assignee: getPrincipalFromIncludedList( issue.relationships!.assignee.data, includedList ), project, pipeline, subscriberList: subscriberList, }; } export const useIssueStore \= defineStore("issue", { state: (): IssueState \=> ({ issueById: new Map(), }), actions: { getIssueById(issueId: IssueId): Issue { if (issueId \== EMPTY\_ID) { return empty("ISSUE") as Issue; } return this.issueById.get(issueId) || (unknown("ISSUE") as Issue); }, setIssueById({ issueId, issue }: { issueId: IssueId; issue: Issue }) { this.issueById.set(issueId, issue); }, async fetchIssueList({ issueStatusList, userId, projectId, limit, }: { issueStatusList?: IssueStatus\[\]; userId?: PrincipalId; projectId?: ProjectId; limit?: number; }) { const queryList \= \[\]; if (issueStatusList) { queryList.push(\`status=${issueStatusList.join(",")}\`); } if (userId) { queryList.push(\`user=${userId}\`); } if (projectId) { queryList.push(\`project=${projectId}\`); } if (limit) { queryList.push(\`limit=${limit}\`); } let url \= "/api/issue"; if (queryList.length \> 0) { url += \`?${queryList.join("&")}\`; } const data \= (await axios.get(url)).data; const issueList: Issue\[\] \= data.data.map((issue: ResourceObject) \=> { return convert(issue, data.included); }); // The caller consumes directly, so we don't store it. return issueList; }, async fetchIssueById(issueId: IssueId) { const data \= (await axios.get(\`/api/issue/${issueId}\`)).data; const issue \= convert(data.data, data.included); this.setIssueById({ issueId, issue, }); // It might be the first time the particular instance/database objects are returned, // so that we should also update instance/database store, otherwise, we may get // unknown instance/database when navigating to other UI from the issue detail page // since other UIs are getting instance/database by id from the store. const instanceStore \= useInstanceStore(); const databaseStore \= useDatabaseStore(); for (const stage of issue.pipeline.stageList) { for (const task of stage.taskList) { instanceStore.setInstanceById({ instanceId: task.instance.id, instance: task.instance, }); if (task.database) { databaseStore.upsertDatabaseList({ databaseList: \[task.database\], }); } } } return issue; }, async createIssue(newIssue: IssueCreate) { const data \= ( await axios.post(\`/api/issue\`, { data: { type: "IssueCreate", attributes: { ...newIssue, // Server expects payload as string, so we stringify first. createContext: JSON.stringify(newIssue.createContext), payload: JSON.stringify(newIssue.payload), }, }, }) ).data; const createdIssue \= convert(data.data, data.included); this.setIssueById({ issueId: createdIssue.id, issue: createdIssue, }); return createdIssue; }, async validateIssue(newIssue: IssueCreate) { const data \= ( await axios.post(\`/api/issue\`, { data: { type: "IssueCreate", attributes: { ...newIssue, // Server expects payload as string, so we stringify first. createContext: JSON.stringify(newIssue.createContext), payload: JSON.stringify(newIssue.payload), validateOnly: true, }, }, }) ).data; const createdIssue \= convert(data.data, data.included); return createdIssue; }, async patchIssue({ issueId, issuePatch, }: { issueId: IssueId; issuePatch: IssuePatch; }) { const data \= ( await axios.patch(\`/api/issue/${issueId}\`, { data: { type: "issuePatch", attributes: issuePatch, }, }) ).data; const updatedIssue \= convert(data.data, data.included); this.setIssueById({ issueId: issueId, issue: updatedIssue, }); useActivityStore().fetchActivityListForIssue(issueId); return updatedIssue; }, async updateIssueStatus({ issueId, issueStatusPatch, }: { issueId: IssueId; issueStatusPatch: IssueStatusPatch; }) { const data \= ( await axios.patch(\`/api/issue/${issueId}/status\`, { data: { type: "issueStatusPatch", attributes: issueStatusPatch, }, }) ).data; const updatedIssue \= convert(data.data, data.included); this.setIssueById({ issueId: issueId, issue: updatedIssue, }); useActivityStore().fetchActivityListForIssue(issueId); return updatedIssue; }, }, });

CVE-2022-32169: bytebase/issue.ts at 1.0.4 · bytebase/bytebase

WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices.
One of them concerns CVE-2022-36934 (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call.
The issue impacts the WhatsApp and

WhatsApp has released security updates to address two flaws in its messaging app for Android and iOS that could lead to remote code execution on vulnerable devices.

One of them concerns CVE-2022-36934 (CVSS score: 9.8), a critical integer overflow vulnerability in WhatsApp that results in the execution of arbitrary code simply by establishing a video call.

The issue impacts the WhatsApp and WhatsApp Business for Android and iOS prior to versions 2.22.16.12.

Also patched by the Meta-owned messaging platform is an integer underflow bug, which refers to an opposite category of errors that occur when the result of an operation is too small for storing the value within the allocated memory space.

The high-severity issue, given the CVE identifier CVE-2022-27492 (CVSS score: 7.8), affects WhatsApp for Android prior to versions 2.22.16.2 and WhatsApp for iOS version 2.22.15.9, and could be triggered upon receiving a specially crafted video file.

Exploiting integer overflows and underflows are a stepping stone towards inducing undesirable behavior, causing unexpected crashes, memory corruption, and code execution.

WhatsApp did not share more specifics on the vulnerabilities, but cybersecurity firm Malwarebytes said that they reside in two components called Video Call Handler and Video File Handler, which could permit an attacker to seize control of the app.

Vulnerabilities on WhatsApp can be a lucrative attack vector for threat actors looking to plant malicious software on compromised devices. In 2019, an audio calling flaw was exploited by the Israeli spyware maker NSO Group to inject the Pegasus spyware.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Critical WhatsApp Bugs Could Have Let Attackers Hack Devices Remotely

The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way.

_The Red Hat Shares newsletter helps IT leaders navigate the complicated world of IT―the open source way._

FROM THE EDITOR

**Securing your edge infrastructure**

Edge security is becoming increasingly important as more organizations turn to edge computing to benefit from the flexibility of hybrid cloud computing and deliver faster, more reliable services at a lower cost.

When we surveyed IT decision makers in 2021 for our 2022 Global Tech Outlook report about what emerging technologies they were most likely to consider using in the next year, or are currently using, 28% said edge computing (up from 25% in 2020). Furthermore, a July 2022 report from 451 Research reveals that "large organizations will significantly expand edge computing infrastructure in two years."1

In edge computing, an increase in data and processing outside the traditional datacenter creates potential risk to organizations. Reduced physical security, a limited compute footprint, lower cost expectations and remote management are often compounded by a lack of IT personnel. These issues combine to create relaxed standards for security and policy and expand the attack surface.

However, there are ways edge resources can improve security. For example, IDC says "63% of organizations report using edge resources to enhance cybersecurity through monitoring networks." IDC also says "replicating data \[using edge resources\] across multiple locations" can "reduce \[the\] impact of ransomware attacks."2

Red Hat provides trusted open source software that helps organizations implement a layered security approach across infrastructure, the application stack and the life cycle for better security on site, in cloud environments or at edge sites.

In this issue of Red Hat Shares, learn about security considerations for edge implementations, key edge security issues for CIOs, how Red Hat helped a customer reduce its edge deployment time while enhancing its infrastructure security and more. Plus, just for fun, we threw in a video from our "In the Clouds" series about how edge computing is being used to solve problems on the International Space Station.

1.  451 Research. "Security tops the priorities for edge computing infrastructure – Highlights from VotE: Edge Infrastructure & Services," 25 July 2022. 
2.  Huang, Cathy, and Jennifer Cooke. "Securing the Edge: How Edge Is Architected Will Determine How Security Is Designed." IDC, Feb. 2022.

**5 security considerations for edge implementations**

Learn about some of the primary security threats edge deployments face and how Red Hat technologies can help mitigate them.

**Edge computing: 4 key security issues for CIOs to prioritize**

The Enterprisers Project suggests considering the expert advice in this article to address security concerns before implementing an edge computing strategy.

_You may also be interested in "Beat these common edge computing challenges."_

**A deep dive on edge and security**

Global analyst firm Futurum Research addresses common edge computing security challenges, Red Hat’s approach to security at the edge and more.

**Boost security, flexibility, and scale at the edge with Red Hat Enterprise Linux**

Find out how Red Hat Enterprise Linux can help you extend your datacenter capabilities to the edge with confidence.

_You may also be interested in "What’s new in Red Hat Enterprise Linux 9 for edge computing."_

CUSTOMER SPOTLIGHT

**Edge computing flexibility enables critical defense and security advantages**

See how Red Hat helped Mamram―the Israel Defense Forces’ central computing system unit―reduce its edge deployment time from weeks to hours while enhancing its infrastructure security and compliance.

**In the Clouds: Edge Computing in Space**

In this episode of our video series, IBM Distinguished Engineer and CTO Space Tech Naeem Altaf explains how, together with NASA, cloud and edge computing services and technologies are being used to solve problems on the International Space Station.

_You may also be interested in "Edge computing in action: Space."_

**AnsibleFest: Shape the present and future of automation**

Oct. 18-19, 2022

Chicago, Illinois

Get discounted pricing through Oct. 17.

_Did you miss our special July edition recapping Red Hat Summit 2022? Check it out. Or browse all past issues of Red Hat Shares._

_Questions or comments about Red Hat Shares? It’s your turn to share. Email us._

Red Hat Shares ― Edge computing: Security

Chipolo ONE Bluetooth tracker (2020) Chipolo iOS app version 4.13.0 is vulnerable to Incorrect Access Control. Chipolo devices suffer from access revocation evasion attacks once the malicious sharee obtains the access credentials.

**Vulnerability Description**

Chipolo's access sharing functionality has a vulnerability. A trusted owner can remotely share Chipolo access to another user, who may be a potential attacker. The attacker's mobile phone operating system is untrusted and the attacker can extract the Chipolo authentication secret from the mobile app, and possibly reuse it to control the Chipolo device even after the trusted owner has revoked the attacker's access from the server side.

**CVE Number**

CVE-2022-37193

**Credits**

Xin'an Zhou, UC Riverside; Jiale Guan, Indiana University Bloomington; Luyi Xing, Indiana University Bloomington; Zhiyun Qian, UC Riverside.

CVE-2022-37193: CCS22MaaGIoT/ChipoloONE.md at main · zhouxinan/CCS22MaaGIoT

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

Posted Sep 27, 2022

Authored by Yousef Alraddadi

Online Birth Certificate Management System version 1.0 suffers from a persistent cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 7e9852e1ba3b10ed9809857eace8d6e330d1f9d7306d8b2d80c0851d85229f86

Download | Favorite | View

**Online Birth Certificate Management System 1.0 Cross Site Scripting**

    # Exploit Title: Online Birth Certificate Management System - Stored Cross-Site Scripting (XSS)# Google Dork: N/A# Date: 2022-9-27# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11# Vendor Homepage: https://www.sourcecodester.com/php/15683/online-birth-certificate-management-system-php-free-download.html# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/OBCMS.zip# Tested on: windows 11 - XAMPP# CVE : N/A# Version: 1.0Vulnerability Details======================Steps :1) Log in to the application after register new userUsername: testPassword: 123452) Navigate to Birth Reg Form and Click on Add Details.3) add full name payload => <script>alert(document.cookie);</script>4) and all field enter payload only Contact Number enter number

**File Tags**

*   ActiveX (932)
*   Advisory (78,276)
*   Arbitrary (15,276)
*   BBS (2,859)
*   Bypass (1,598)
*   CGI (1,013)
*   Code Execution (6,771)
*   Conference (671)
*   Cracker (799)
*   CSRF (3,277)
*   DoS (22,065)
*   Encryption (2,340)
*   Exploit (50,129)
*   File Inclusion (4,160)
*   File Upload (945)
*   Firewall (821)
*   Info Disclosure (2,565)
*   Intrusion Detection (861)
*   Java (2,823)
*   JavaScript (808)
*   Kernel (6,156)
*   Local (14,093)
*   Magazine (586)
*   Overflow (12,252)
*   Perl (1,413)
*   PHP (5,057)
*   Proof of Concept (2,284)
*   Protocol (3,350)
*   Python (1,406)
*   Remote (29,862)
*   Root (3,466)
*   Ruby (581)
*   Scanner (1,630)
*   Security Tool (7,737)
*   Shell (3,077)
*   Shellcode (1,203)
*   Sniffer (883)
*   Spoof (2,123)
*   SQL Injection (16,057)
*   TCP (2,369)
*   Trojan (682)
*   UDP (872)
*   Virus (660)
*   Vulnerability (30,657)
*   Web (9,114)
*   Whitepaper (3,723)
*   x86 (943)
*   XSS (17,396)
*   Other

**File Archives**

*   September 2022
*   August 2022
*   July 2022
*   June 2022
*   May 2022
*   April 2022
*   March 2022
*   February 2022
*   January 2022
*   December 2021
*   November 2021
*   October 2021
*   Older

**Systems**

*   AIX (426)
*   Apple (1,899)
*   BSD (369)
*   CentOS (55)
*   Cisco (1,915)
*   Debian (5,948)
*   Fedora (1,690)
*   FreeBSD (1,242)
*   Gentoo (4,207)
*   HPUX (878)
*   iOS (323)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (42,923)
*   Mac OS X (684)
*   Mandriva (3,105)
*   NetBSD (255)
*   OpenBSD (478)
*   RedHat (12,009)
*   Slackware (941)
*   Solaris (1,607)
*   SUSE (1,444)
*   Ubuntu (8,027)
*   UNIX (9,115)
*   UnixWare (185)
*   Windows (6,473)
*   Other

Online Birth Certificate Management System 1.0 Cross Site Scripting

Using its "Exmatter" tool to corrupt rather than encrypt files signals a new direction for financially motivated cybercrime activity, researchers say.

Malware wielded by BlackCat/ALPHV is putting a new spin on the ransomware game by deleting and destroying an organization's data rather than merely encrypting it. The development provides a glimpse of the direction in which financially motivated cyberattacks likely are heading, according to researchers.  

Researchers from security firms Cyderes and Stairwell have observed a .NET exfiltration tool being deployed in relation to BlackCat/ALPHV ransomware called Exmatter that searches for specific file types from selected directories, uploads them to attacker-controlled servers, and then corrupts and destroy the files. The only way to retrieve the data is by purchasing the exfiltrated files back from the gang.

"Data destruction is rumored to be where ransomware is going to go, but we haven’t actually seen it in the wild," according to a blog post published recently on the Cyderes website. Exmatter could signify that the switch is happening, demonstrating that threat actors are actively in the process of staging and developing such capability, researchers said.

Cyderes researchers performed an initial assessment of Exmatter, then Stairwell's Threat Research Team discovered "partially-implemented data destruction functionality" after analyzing the malware, according to a companion blog post.

"The use of data destruction by affiliate-level actors in lieu of ransomware-as-a-service (RaaS) deployment would mark a large shift in the data extortion landscape, and would signal the balkanization of financially-motivated intrusion actors currently working under the banners of RaaS affiliate programs," Stairwell threat researcher Daniel Mayer and Shelby Kaba, director of special operations at Cyderes, noted in the post.

The emergence of this new capability in Exmatter is a reminder of the rapidly evolving and increasingly sophisticated threat landscape as threat actors pivot to find more creative ways to criminalize their activity, notes one security expert.

"Contrary to popular belief, modern attacks are not always just about stealing data, but can be about destruction, disruption, data weaponization, disinformation, and/or propaganda," Rajiv Pimplaskar, CEO of secure communications provider Dispersive Holdings, tells Dark Reading.

These ever-evolving threats demand that enterprises also must sharpen their defenses and deploy advanced security solutions that harden their respective attack surfaces and obfuscate sensitive resources, which will make them difficult targets to attack in the first place, Pimplaskar adds.

**Previous Ties to BlackMatter**

The researchers' analysis of Exmatter is not the first time a tool of this name has been associated with BlackCat/ALPHV. That group — believed to be run by former members of various ransomware gangs, including those from now-defunct BlackMatter — used Exmatter to exfiltrate data from corporate victims last December and January, before deploying ransomware in a double extortion attack, researchers from Kaspersky reported previously.

In fact, Kaspersky used Exmatter, also known as Fendr, to link BlackCat/ALPHV activity with that of BlackMatter in the threat brief, which was published earlier this year.

The sample of Exmatter that Stairwell and Cyderes researchers examined is a .NET executable designed for data exfiltration using FTP, SFTP, and webDAV protocols, and contains functionality for corrupting the files on disk that have been exfiltrated, Mayer explained. That aligns with BlackMatter's tool of the same name.

**How the Exmatter Destructor Works**

Using a routine named "Sync," the malware iterates through the drives on the victim machine, generating a queue of files of certain and specific file extensions for exfiltration, unless they are located in a directory specified in the malware’s hardcoded blocklist.

Exmatter can exfiltrate queued files by uploading them to an attacker-controlled IP address, Mayer said.

"The exfiltrated files are written to a folder with the same name as the victim machine’s hostname on the actor-controlled server," he explained in the post.

The data-destruction process lies within a class defined within the sample named "Eraser" that is designed to execute concurrently with Sync, researchers said. As Sync uploads files to the actor-controlled server, it adds files that have been successfully copied to the remote server to a queue of files to be processed by Eraser, Mayer explained.

Eraser selects two files randomly from the queue and overwrites File 1 with a chunk of code that's taken from the beginning of the second file, a corruption technique that may be intended as an evasion tactic, he noted.

"The act of using legitimate file data from the victim machine to corrupt other files may be a technique to avoid heuristic-based detection for ransomware and wipers," Mayer wrote, "as copying file data from one file to another is much more plausibly benign functionality compared to sequentially overwriting files with random data or encrypting them." Mayer wrote.

**Work in Progress**

There are a number of clues to indicate that Exmatter's data-corruption technique is a work in progress and thus still being developed by the ransomware group, the researchers noted.

One artifact in the sample that points to this is the fact that the second file’s chunk length, which is used to overwrite the first file, is randomly decided and could be as short as 1 byte long.

The data-destruction process also has no mechanism for removing files from the corruption queue, meaning that some files may be overwritten numerous times before the program terminates, while others may never have been selected at all, the researchers noted.

Moreover, the function that creates the instance of the Eraser class — aptly named "Erase" — does not appear to be fully implemented in the sample that researchers analyzed, as it does not decompile correctly, they said.

**Why Destroy Instead of Encrypt?**

Developing data-corruption and destruction capabilities in lieu of encrypting data has a number of benefits for ransomware actors, the researchers noted, especially as data exfiltration and double-extortion (i.e., threatening to leak stolen data) has become a rather common behavior of threat actors. This has made developing stable, secure, and fast ransomware to encrypt files redundant and costly compared to corrupting files and using the exfiltrated copies as the means of data recovery, they said.

Eliminating encryption altogether also can make the process faster for RaaS affiliates, avoiding scenarios in which they lose profits because victims find other ways to decrypt the data, the researchers noted.

"These factors culminate in a justifiable case for affiliates leaving the RaaS model to strike out on their own," Mayer observed, "replacing development-heavy ransomware with data destruction."

BlackCat/ALPHV Gang Adds Wiper Functionality as Ransomware Tactic

Categories: News
Categories: Privacy
Meta is being sued by a couple of its users for allegedly deliberately circumventing Apple's privacy features on the iPhone.



(Read more...)




The post Facebook users sue Meta for allegedly building "secret workaround" to Apple privacy safeguards appeared first on Malwarebytes Labs.

Posted: September 27, 2022 by

Last week, two Facebook users filed a class-action complaint against Meta in San Francisco's federal court, alleging the company built a "secret workaround" to Apple's safeguards that protect iPhone users from tracking. Facebook circumvents Apple's privacy rules by opening in-app browsers within its apps instead of the iPhone's default browser. By doing this, the users further allege Meta violated state and federal laws regarding the unauthorized collection of personal data.

The suit came after Felix Krause (@KrauseFx), a data privacy researcher and former Google engineer, released a report in August 2022 about iOS privacy, featuring a tool he created himself called the InAppBrowser. It can check if an in-app browser injects JavaScript (JS) code, which could be problematic for iOS and Android users as this causes potential security and privacy risks to users.

In the case of Meta, this JS code is Meta Pixel.

"The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser," said Krause in his blog. "This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap."

Krause also included the following caveat: "**Important**: Just because an app injects JavaScript into external websites, doesn’t mean the app is doing anything malicious. There is no way for us to know the full details on what kind of data each in-app browser collects, or how or if the data is being transferred or used."

In an email interview with Bloomberg, a spokesperson from Meta said that Krause's allegations are "without merit" and it will defend itself.

"We have designed our in-app browser to respect users' privacy choices, including how data may be used for ads," the email statement said.

In February, Meta admitted that Apple's App Tracking Transparency (ATT) feature would decrease its ad revenue by $10B. This admission, according to CNBC, is "the most concrete data point so far on the impact to the advertising industry" in terms of Apple's privacy feature, which limits companies from accessing the data of iPhone users.

"This allows Meta to intercept, monitor, and record its users' interactions and communications with third parties, providing data to Meta that it aggregates, analyzes, and uses to boost its advertising revenue," the suit reads.

Facebook and Instagram weren't the only apps mentioned in Krause's report. TikTok, Snapchat, and Amazon were also mentioned.

**RELATED ARTICLES**

Tag

#ios