By Waqas
Work from home or WFH is a blessing for employees, but it can be a disguise when it comes to data security. Protecting yourself and your work infrastructure at home from cyberattacks is crucial.
This is a post from HackRead.com Read the original post: Top Data Security Issues of Remote Work

The surge in remote work has brought about intense concerns regarding data security including unsecured home networks and the increased use of personal devices pose significant challenges.

You’re living in an era where traditional office spaces are rapidly becoming a thing of the past. The advent of technology and the internet has brought about a paradigm shift in the way you work. This shift, however, has also ushered in new challenges, especially concerning data security. Data is the lifeblood of modern businesses, and its security should be a top priority.

The shift to remote work has only increased the need for robust data security measures. With employees accessing confidential information from a variety of locations and devices, the risk of data breaches has never been higher. Therefore, it’s important to understand these risks and implement effective measures to mitigate them.

In this article, you’ll explore the top data security issues of remote work and how to manage them effectively. Let’s begin.

****The Growth of Remote Work****

While the return-to-office initiative is on the rise, many organizations still allow remote or hybrid work arrangements. In 2023 alone, 28.2% of full-time employees use a hybrid approach, while 12.7% work from home. The flexibility offered by remote work is a big draw for many employees, and businesses are finding that it can also lead to increased productivity and cost savings.

However, as the number of remote workers increases, so does the risk of data security issues. Working from home often means using less secure home networks and personal devices, which can be a goldmine for cybercriminals. Furthermore, the lack of direct supervision makes enforcing corporate policies and regulatory requirements harder.

****Top Remote Work Data Security Issues****

One of remote work’s most significant data security issues is the risk of data breaches. In a traditional office setting, physical security measures can prevent unauthorized access to sensitive data. However, in a remote work setting, these measures are often absent. Moreover, the increased use of cloud services for collaboration and data storage also presents additional risks.

Another major issue is the vulnerability of home networks, which frequently lack the security measures found in corporate environments. Home networks, unlike corporate networks, frequently lack strict firewalls and antivirus software, making them a prime target. Cybercriminals can easily exploit these security flaws, putting personal information and data at risk. As a result, strengthening home network security is critical.

Other security issues to keep in mind include:

*   **Use of Personal Devices**: Remote employees frequently use personal devices for work, which can jeopardize data security. These devices may lack the same level of security as company-supplied equipment, making them more vulnerable to cyber threats and data breaches.
*   **Enforcing Corporate Policies and Regulatory Requirements** – Enforcing corporate policies and regulatory requirements is another major challenge with remote work. Ensuring compliance with data security policies can be difficult without the physical presence of supervisors and IT staff.
*   **Increased Risk of Phishing, Malware, and Social Engineering** – Remote workers are also more susceptible to phishing, malware, and social engineering attacks. These attacks often exploit human error and can lead to significant data breaches. Therefore, educating remote workers about these threats and how to avoid them is essential.
*   **Inadequate Secure Wi-Fi Networks**: Remote workers typically connect to corporate networks through unsecured or public Wi-Fi networks, which poses a significant security risk. Cybercriminals can easily exploit these networks by intercepting data transmission or injecting malware, potentially resulting in data breaches or system compromises. 

****Managing the Data Security Issues of Remote Work****

Regardless of these challenges, there are ways to effectively manage the data security issues associated with remote work. Implementing a data protection platform and zero-trust security controls are two of the most effective solutions.

A data protection platform is an essential component of today’s cybersecurity strategies. It offers a comprehensive solution for safeguarding sensitive data while meticulously monitoring and controlling data access. Its sophisticated mechanisms ensure that only authorized individuals have access to sensitive data, preserving data integrity and confidentiality. This platform is vital for preventing data breaches, improving regulatory compliance, and providing businesses with a secure digital environment.

Zero-trust security controls, on the other hand, are founded on a fundamental principle: by default, trust no user or device. Because of this, each access request is thoroughly verified before it can be approved. It is not a case of being overly suspicious, but of being proactive in terms of security. By scrutinizing every request, these controls significantly reduce the likelihood of data breaches. This method is extremely effective in preventing unauthorized access while also maintaining the integrity and confidentiality of sensitive data.

Other benefits of using data security tools for remote work include:

*   **Improved Visibility and Control:** Data security tools provide real-time visibility into all data movement, allowing businesses to monitor and control data access effectively.
*   **Improved Compliance:** These tools help to meet regulatory requirements by ensuring that data is handled and stored in a compliant manner, lowering the risk of penalties.
*   **Data Loss Risk is Reduced:** Data protection tools include features like automatic backups and encryption, which reduce the risk of data loss due to accidents or cyber-attacks.
*   **Advanced Threat Detection:** Some tools use artificial intelligence and machine learning to detect suspicious activity or anomalies, preventing potential breaches.
*   **Increased Productivity:** In a secure environment, employees can focus on their work without being concerned about potential data breaches, resulting in increased productivity.
*   **Improved Remote Work Security**: Data security tools include features like secure VPNs and multi-factor authentication, significantly enhancing network security by making it more difficult for unauthorized individuals to access sensitive information.
*   **Cost-Effective**: Implementing these tools can lead to long-term cost savings by preventing costly data breaches and reducing the time and resources spent on recovery after a breach.

Ultimately, remote work presents distinct data security challenges. These challenges, however, can be effectively managed with the right strategies and tools. A solid data protection platform that provides a secure foundation for your digital assets is extremely important.

Coupled with zero-trust security controls, you can ensure solid safeguards for your valuable data. These safeguards are essential to maintaining business continuity, especially in this day and age when remote work is becoming more common. With careful planning and implementation, you can weather the storm of data security threats in a remote work scenario.

****_RELATED ARTICLES_****

1.  **Top 3 data security risks facing businesses**
2.  **Data Security: Key Steps When Transferring Your Digital Workspace**
3.  **Data Security Threats to Businesses: Strategies to Strengthen Defense**
4.  **Nexo Achieves Type 2 SOC 2 Audit, Reinforces Data Security Compliance**
5.  **How cloud data distracts businesses from correct data security practices**

Top Data Security Issues of Remote Work

Talos revealed that rebooting an iOS or Android device may not remove the Predator spyware produced by Intellexa. Intellexa knows if their customers intend to perform surveillance operations on foreign soil.

Thursday, December 21, 2023 11:00

_By Mike Gentile,_ _Asheer Malhotra_ _and_ _Vitor Ventura__._

**Editor’s note:** This blog post is a public version of a talk presented at LabsCon 2023 on Sept. 22, 2023. You can watch a recording of the talk here. Some of the intelligence presented at LabsCon was later confirmed by an Amnesty International blog post released on Oct. 6, 2023.

*   Cisco Talos has a new, in-depth analysis of timelines, operating paradigms and procedures adopted by spyware vendor Intellexa (previously known as Cytrox). 
*   Talos’ analysis revealed that rebooting an iOS or Android device may **_not_** always remove the Predator spyware produced by Intellexa. Persistence is an add-on feature provided by Intellexa for their implants and primarily depends on the licensing options chosen by a customer.
*   Intellexa knows if their customers intend to perform surveillance operations on foreign soil.
*   Two years after its first public exposure, Intellexa’s Predator/Nova spyware solution continues to be undetected by anti-virus solutions. Public reporting on Intellexa’s operations has had little to no impact on their ability to conduct and grow their business across the world.
*   Almost all publications on malicious operations conducted using Intellexa’s spyware consist primarily of malicious domains as indicators of compromise (IOCs). Talos assesses that the disclosure of such domains, managed by the customers, has little to no effect on Intellexa’s operations and enables them to preserve their malware implants due to a lack of technical disclosures. 
*   After many users patched against the exploit chains used by Intellexa as of December 2021, the spyware vendor started shipping a new exploit chain to at least one new customer in early 2022 that covered the same and more recent versions of the Android operating system.

In May 2023, Cisco Talos published the first ever in-depth technical report on Intellexa’s spyware solution named Alien and Predator, showing its inner workings and demonstrating the highly complex software architecture decisions required to make such spyware work properly on the Android operating system. This research also sheds light on several other aspects of the commercial spyware space, like plausible deniability, the impacts of widespread media exposure and recruitment issues.

During the LabsCon 2023 cyber threat intelligence conference, Talos presented the operational risks inherent to the commercial spyware landscape, using Intellexa as a use case.

This research delves into the history of the Alien/Predator line of implants, illustrating how a run-down spyware seller, Cytrox, was bought and transformed into an intelligence agency-grade spyware vendor: Intellexa.

**Implants’ persistence is an add-on in Intellexa’s offering**

Leaked commercial proposals from the Intellexa Alliance have shown that prices per infection are increasing every year, along with the capabilities of the company's technological solution. Rebooting the device is no longer a means to remove the implants from an infected device. 

In 2021, Predator spyware couldn’t survive a reboot on the infected Android system (it had it on iOS). However, by April 2022, that capability was being offered to their customers. Since then, no reports have been published detailing such a mechanism, as there is no reason to believe it has become obsolete. It still doesn’t survive a factory reset, but it is fair to assume that this specific capability will become available, literally breaking all trust in the device beyond recovery.

**Intellexa’s product development journey**

Cytrox was first created in North Macedonia in 2017, and at the time, built Android-based malware. In 2018, Cytrox was acquired by WiSpear and then in 2019 Nexa Technologies, WiSpear (and Cytrox) and Senpai Technologies teamed up to create the Intellexa Alliance, a commercial spyware company that, according to public reports, sells commercial spyware to multiple customers without regard for their potential targets and the spyware’s misuse. 

Senpai Technologies is a company specializing in OSINT and persona creation based out of Israel, while WiSpear, also based in Israel, specializes in Wi-Fi interception. Nexa Technologies (now called RB 42) is a French-based company whose main focus is remote surveillance and security services.

Immediately after the consolidation of all these firms under Intellexa in May 2019, the revamping of Predator began, which at the time, was their flagship spyware for Android. This can be confirmed on the artifacts left on the malware binary due to the use of static library compilation at build time.

By April 2020, the revamp was finished and the malware was ready to be deployed on Android. In May 2020, the developers began working on an iOS “solution” which we assess with medium confidence was a port of Alien/Predator from Android to iOS. Our assessment is based on the fact that the engine that drives the high-level components of the Predator system is similar, if not identical, to the point where some Android artifacts, detailed in the following sections, can be found on the iOS sample.

Evolution timeline

**Pricing model**

Building commercial spyware is a sophisticated and research-driven process. It involves meticulously circumventing, bypassing and exploiting security controls put in place by mobile applications/packages and Operating Systems such as Android and iOS. Combining such potent software into a package with zero or one-click zero-day exploits makes it a highly reliable offensive “solution” – and that is exactly what makes it expensive. As early as 2016, The New York Times reported that the NSO Group charged $650,000 for every 10 infections, with an additional $500,000 for initial setup. Multi-year deals between the NSO Group and Mexico were estimated to be around $15 million – and this was back in 2013.

Fast forward five years to 2021, and another disclosure from The New York Times details the proposal brochure for Intellexa’s Predator framework offering their solution for a whopping 13.6 million Euros for:

*   20 concurrent infections.
*   One-click exploit for initial access.
*   Predator C2 and administrative hardware and software.
*   Project plans, documentation, etc.
*   12 months of warranty support.

Proposal (snipped) defining price and items

Leaked documents from 2022 show that the Nova platform, which is Intellexa’s data-gathering module, was priced at 8 million Euros in 2022. Price tags of 13.6 million or even 8 million Euros is a hefty sum. However, this reinforces the fact that commercial spyware such as those from Intellexa is neither for the common man nor for petty crimeware operators. These solutions are meant for customers with deep pockets and such expenses can only be incurred by state-sponsored agencies.

The pricing model also shows the technological evolution of the product. Based on the leaked proposal dates in July 2022, Intellexa had already incorporated boot survivability into the Android solution. It also increased the support for Android to 18 months. At this point, it is unclear if this is the direct result of Intellexa’s development and research capabilities, or if these are based on exploits acquired that ultimately would result in having such capabilities.

The original persistence mechanism on iOS was the exploitation of the original vulnerability during the boot process by loading the malicious HTML page stored locally. As such, the newly introduced Android persistence mechanism can simply be based on a similar method.

**Plausible deniability**

Intellexa’s commercial proposals are designed to create plausible deniability. These clauses extend from the infrastructure responsibilities to the delivery methods. This is a key aspect of Intellexa’s business model, the goal is to avoid a bad reputation and to claim they are not responsible for what their customers do with their “product” — they claim that they don’t even know who the victims are.

Proposal (snipped) defining responsibilities

The leaked proposals show that the infrastructure and anonymization are the responsibility of the customer. From a deniability point of view, this enables the claim that Intellexa doesn’t know _how_ victims are being targeted. From the operational risk perspective, such clauses also shield Intellexa from any responsibility in the event of a public exposure connecting malicious operations back to the vendor.

Delivery method method

The delivery of Intellexa’s supporting hardware is done at a terminal or airport. This delivery method is known as Cost Insurance and Freight (CIF), which is part of the shipping industry’s jargon (“Incoterms”). This mechanism allows Intellexa to claim that they have no visibility of where the systems are deployed and eventually located. This exact scenario was seen being put into practice when, according to a LighthouseReports

investigation

, Intellexa sold their solution to the Sudanese government.

Source: https://www.lighthousereports.com/investigation/flight-of-the-predator/

Even if we take into consideration the proposal’s terms such as, “Installation and configuration at customer designated facility…” and the “Standard training course ……,” it still does not mean that Intellexa might know where the hardware is located since everything can be done remotely or even without their personnel knowing where the customer’s “solution” is physically located.

Intellexa does have first-hand knowledge of if their software is being used to conduct surveillance operations targeting phone number prefixes other than their customers' country of origin and possibly their jurisdiction. This knowledge is a consequence of the licensing model. Any sale is limited to a single phone country code prefix, but for an additional fee, the customer can license the usage of the solution in additional countries without geographic limitations.

**Business risks****Human resources**

Commercial spyware companies don’t seem to have any kind of problem recruiting highly specialized human resources to develop their solutions. This was evidenced by the LinkedIn profiles of several highly specialized engineers. In one example, the NSO Group in June had just recruited new, highly specialized engineers from an intelligence military unit.

During the development of the iOS implant, Intellexa hired an iOS expert vulnerability researcher who had previously worked for the NSO Group. The timing of the hire indicates that the firm needed to integrate the implant with the exploit chain to deploy it reliably on iOS devices.

Snippet of the iOS security expert Curriculum Vitae

Such “experts” can be found working for and actively hunting for jobs regularly at other commercial spyware vendors too.  For example, a quick search by Talos showed that just in September 2023, the NSO group had hired another security researcher with the same research background:  

Example of employment history

And there are several examples like that. The highly skilled researchers will move from one company to another in the same line of business supplying a constant flow of human resources as needed.

**Target operating system support**

New operating system releases don’t seem to make a considerable impact on the Predator solution. Intellexa now supports OS versions going back 18 months on Android and 12 months on iOS from their last supported version, which may not be the latest. Google releases approximately one new version per year just like Apple. But, the Android OS may consist of beta versions months before general availability. This gives plenty of lead time to Intellexa and their exploit suppliers to develop new exploit chains to use as initial attack vectors. 

It is important to understand that the Alien/Predator implants themselves don’t need to change much between operating system releases. They are written to be as generic and modular as possible, and the modules that need to be specific to an OS version and/or capability are written in Python, which can easily be updated and deployed on the fly via a customer’s infrastructure. 

The components that are more sensitive to operating system updates are the initial access vectors and the persistence mechanisms. These capabilities often rely on exploits that can be patched or new mitigation techniques may render them useless. 

**Vulnerability exploits chain patching**

This is the most sensitive and least controlled part of any commercial spyware solution. Still, one may think that there is a high impact on the operational capability of a commercial spyware vendor, but the reality seems to prove the impact is low, or medium at most. 

Exploit brokers and exploit research companies, sell full or partial exploit chains as a subscription model where the customers are entitled to workable replacements if the purchased chain is patched.

The timeline of events shows that it took Intellexa, at most, six months (probably less) to obtain and integrate a new fully operational exploit chain into their solution, after their Android previous one was patched in Nov 2021. This is confirmed by the fact that, in May 2022, their platform was being shipped to a new customer in Sudan, according to the Lighthouse report.

Overall, this demonstrates that exposing the vulnerabilities used by commercial spyware vendors, although extremely important, does not impose much of a risk on them. In fact, that risk is transferred onto the exploit brokers and vendors.

This has caught the attention of the Biden-Harris administration, to the point that the Intellexa Alliance was added to the Entity List for “_...determination that the companies engaged in trafficking in cyber exploits used to gain access to information systems…_”  In practical terms, U.S.-based companies that deal in exploits cannot do business with the Intellexa galaxy of companies. This means that Intellexa will have to procure its exploits from companies in other regions, which for the time being, doesn’t seem to be a problem. However, if the United Kingdom and the European Union take similar actions, the market will become smaller, making it much harder for these companies to acquire their initial attack vector.

**The lack of impact from public exposure**

The public exposure of commercial spyware companies creates awareness and has gained the attention of governments and regulating bodies. Such disclosures have also been successful at attributing malicious operations conducted by regimes against human rights activists, journalists and civilian dissidents, indicating the lack of a moral compass of many of Intellexa’s “customers.” 

However, exposing regimes conducting these operations seems to have little effect on these companies’ abilities to make money. It may increase the costs by making them buy or create new exploit chains but these vendors appear to have seamlessly acquired new exploit chains, enabling them to remain in business by jumping from one set of exploits to another as a means of initial access. A majority of public disclosures in the commercial spyware space focus on the political aspects of the operations along with listing malicious domains and infrastructure but fail to tear open the inner workings of the malware themselves. The domains and infrastructure exposed in a disclosure are owned and operated by spyware customers themselves, often in silos, meaning that exposing one operation typically may have no impact on all the other customers. However, the risk of exposure will always be primarily based on the efforts put by the customer into their anonymization chain.

Such disclosures may have a substantial impact on the regimes (“customer”), but they fail to impose costs on the spyware vendor themselves. What is needed is the public disclosure of technical analyses of the mobile spyware and tangible samples enabling public scrutiny of the malware. Such public disclosures will not only enable greater analyses and drive detection efforts but also impose development costs on vendors to constantly evolve their implants.

Intellexa and Cytrox: From fixer-upper to Intel Agency-grade spyware

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do not provide an adequate session management for the administrative web interface. This allows adjacent attackers with access to the management network to read and modify the configuration of the device.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

# MOKOSmart MKGW1 Gateway Improper Session Management #

Link: https://github.com/sbaresearch/advisories/tree/public/2022/SBA-ADV-20220120-01_MOKOSmart_MKGW1_Gateway_Improper_Session_Management

## Vulnerability Overview ##

MOKOSmart MKGW1 Gateway devices with firmware version 1.1.1 or below do  
not provide an adequate session management for the administrative web  
interface. This allows adjacent attackers with access to the management  
network to read and modify the configuration of the device.

* **Identifier**            : SBA-ADV-20220120-01  
* **Type of Vulnerability** : Improper Authentication  
* **Software/Product Name** : [MOKOSmart MKGW1 BLE Gateway](https://www.mokosmart.com/mokosmart-mkgw1-gateway-iot-cloud-platform/)  
* **Vendor**                : [MOKO TECHNOLOGY LTD](https://www.mokosmart.com/)  
* **Affected Versions**     : <= 1.1.1  
* **Fixed in Version**      : Not yet  
* **CVE ID**                : Pending  
* **CVSS Vector**           : CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H  
* **CVSS Base Score**       : 8.0 (High)

## Vendor Description ##

> * MKGW1 Bluetooth gateway is mainly used for the MOKO Bluetooth products.  
> * It is convenient for users to get the data of the MOKO series Beacon,  
>   and advertising raw data of any Bluetooth device.  
> * It can upload the data to the server via MQTT (V3.1.1) or HTTP(S)  
>   protocol.  
> * MKGW1 was developed with MediaTek® MT7688AN relying on OpenWrt system  
>   and Nordic® nRF52 platform.  
> * MKGW1 can connect the standard MQTT Broker, Aws IOT, Azure IOT HUB,  
>   Aliyun IOT.

Source: <http://doc.mokotechnology.com/index.php?s=/page/108>

## Impact ##

By exploiting the documented vulnerability, an attacker can gain  
administrative access to the device. For example, this can be misused by  
altering the configuration of the device or by reading out the configured  
network credentials and therefore getting a foothold in the victim's network.

## Vulnerability Description ##

The gateway offers a web-based configuration interface that can be used to  
edit the configuration of the gateway. Username and password are requested  
to authenticate the administrator. After sending the correct credentials the  
device sets a global server-side state to "logged in" for 3600 seconds,  
rather than issuing a session ID. Now any device on the same network can  
access the configuration interface as administrator without any additional  
authentication and read and modify the configuration.

## Proof of Concept ##

Login with the admin credentials on the web interface from a legitimate  
client:

HTTP request:

```http  
POST /goform/login HTTP/1.1  
Host: 192.168.22.1  
Content-Type: application/json  
Content-Length: 39  
Origin: http://192.168.22.1  
Connection: close  
Referer: http://192.168.22.1/sign_in

{"username":"Admin","password":"[redacted]"}  
```

HTTP response:

```http  
HTTP/1.1 200 OK  
Content-type: application/json  
Pragma: no-cache  
Cache-Control: no-cache

{ "state": { "code": 2000, "msg": "ok" }, "data": { "activetime": "3600" } }  
```

The response shown above does not contain any session identifier.  
On another client that can reach the web interface, an attacker can read out  
the configuration without any authentication:

HTTP request:

```http  
GET /goform/get_wan HTTP/1.1  
Host: 192.168.22.1  
Connection: close  
```

HTTP response:

```http  
HTTP/1.1 200 OK  
Content-type: application/json

{ "state": { "code": 2000, "msg": "ok" }, "data": { "wanmode": "WIFI", "wanssid": "[redacted]", "wanencrypt": "[redacted]", "wanpassword": "[redacted]", "proto": "dhcp", "ipaddr": "", "netmask": "", "gateway": "", "firdns": "", "secdns": "" } }  
```

The above proof-of-concept shows that the MOKO gateway cannot distinguish  
between multiple sessions. Therefore, if a legitimate client is logged in,  
an attacker can read the configuration. Furthermore, an attacker can also  
modify the configuration by sending the appropriate `JSON` data to the  
respective `POST` endpoint. Changes to the network can trigger a reboot  
of the device.

## Recommended Countermeasures ##

We are not aware of a vendor fix yet. Please contact the vendor.

We recommend to implement a proper session management for the  
administrative web interface of the device.

## Timeline ##

* `2022-01-20`: identification of vulnerability in version 1.1.1  
* `2022-01-27`: initial vendor contact  
* `2022-03-02`: disclosed vulnerability to vendor contact but received no reply  
* `2023-12-11`: request CVE from MITRE  
* `2023-12-12`: public disclosure

## References ##

* [Moko Gateway Documentation](https://www.mokosmart.com/wp-content/uploads/2019/10/GS-gateway.pdf)

## Credits ##

* Jakob Hagl ([SBA Research](https://www.sba-research.org/))  
* David Lisa Gnedt ([SBA Research](https://www.sba-research.org/))  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEL9Wp/yZWFD9OpIt6+7iGL1j3dbIFAmWB8iQACgkQ+7iGL1j3  
dbK0eg//atfWytZOUPJ3omp9Rjb9sMJwu1Z8LdEZZGsQdsmQXJLaKF3AUDnt2cBx  
CLPVDh32lFbszJiMrJrXjj5WxH8CUtNQFdj1WTN4Uv5MlaRRvipOz7/XTemqRwGP  
+nctTDZHLFCeli4ZD36tE4zKcP3vm+R4e7Zy5BIP74G2Dw2hmFreSt7CC5CqZT3K  
oPo1hMF9PD7WhjYK/lBaxeR+6FkiCm7p/thgyeShHMVygJJjmjF+k3GQ61NmoVXc  
IjwRs+WY8Y/X/SfPjM8tjW/gZFHdOv/r/Gcz1OJs2D2quqmiKuoOhS9b/F8LDHsf  
OnKTNBaWH2oTzmuh7zSan+kPYj42gjpp+aSSoWK7At78yFFvLilCcckwIpKagh4U  
b3W//s5BPKCXJ1a7yH3WYGjbDAOzGMq1g50X1ZDNQ7zdQbELobFSNLWsnPwfN64i  
ljq6tXTOYT+4Jg4hI5I+3vD4q7mf7O2CL4fk5pUHoKMy7P28sxa7wX2jH+02C07J  
PKkaU+V2v4Lvf3PQvGTeupo50bTZX0xYqdmjjr3G9SUD+jESMCHPGaXw/Zpau71U  
uKD9f9MbZ9v/XML3IsBvd22QkayL7eegvmweyLmchp/ppigp99IX3rA7EgGkauW7  
1W7YiybQOvo5xaCiMakIqHXZtFcWIEryT8FRMW5cyraExHGkPPk=  
=jrYM  
-----END PGP SIGNATURE-----

MOKOSmart MKGW1 Gateway Improper Session Management 

By Waqas
The data breach came to light in early November 2023, when Mr. Cooper announced that it had fallen victim to a cyberattack on October 30, 2023. 
This is a post from HackRead.com Read the original post: Mortgage Giant Mr. Cooper Data Breach; 14 Million Users Impacted

Initially, the data breach was thought to affect only 4.3 million current customers, but now the impact has extended to an additional 10 million.

In a new cybersecurity incident, Coppell, Texas-based mortgage and loan giant Mr. Cooper has become the latest victim of a cyberattack that may have compromised the sensitive personal information of more than 14 million individuals, impacting both current and former customers.

The company, in its data breach notifications to **state and federal regulators**, disclosed that the incident initially thought to affect 4.3 million current customers now extends its reach to an additional 10 million past customers.

The severity of the situation prompted the company to file a **data breach notification** with the Maine Attorney General, revealing that a staggering total of 14,690,284 individuals could be affected, with 59,917 of them being residents of Maine.

The data breach came to light in early November 2023, when Mr. Cooper announced that it had fallen victim to a cyberattack on October 30, 2023. The breach, discovered the following day, prompted the company to take swift and decisive action by shutting down all IT systems. This included the temporary closure of the online payment portal, a vital platform used by customers to manage their loan and mortgage payments.

The company is now actively engaged in investigating the extent of the breach and has begun the process of notifying affected individuals. The compromised data is said to include sensitive personal information such as names, email addresses and personal identifiers in combination with Social Security Numbers (SSN), raising concerns about the potential misuse and identity theft implications for the affected customers.

Mr. Cooper has launched a dedicated website to keep impacted customers updated on the data breach. (Screenshot: Hackread.com)

However, Mr. Cooper assures its customers that it is working to enhance its cybersecurity measures to prevent any future breaches. In the meantime, affected individuals are encouraged to remain alert, monitor their financial accounts, and take necessary precautions to safeguard their personal information.

In a comment to Hackread.com, **Claude Mandy**, Chief Evangelist of Data Security at Symmetry Systems highlighted the challenge organizations face with data retention due to legal requirements and business aspirations. Despite the desire to use data for analytics and customer re-engagement, data often remains untouched, leading to breaches that impact both current and past customers.

_“_Unfortunately, a lot of organizations are stuck between a rock and a hard place, when it comes to the retention of data. Various laws and legislature require organizations to keep records for over 7 years, but they also hope to attract their past customers back into the fold and plan to leverage it to develop future analytics insights. In reality, this data just lies untouched where it lies, often long past their actual retention policies. Regardless of the reason, it is not unusual to see breaches impacting not only current customers but previous customers too._“_

Mandy emphasizes the importance of proactive data management, citing an example where Symmetry Systems enabled a Fortune 100 organization to delete 25% of their cloud assets without business impact. Additionally, he notes that the absence of credit card numbers in Mr. Cooper’s breach may suggest the use of outsourced payment providers that tokenize credit card information for enhanced security.

_“_Increasingly our customers with the help of our data-centric monitoring, identify and proactively delete data beyond its retention lifecycle, and further reduce access to sensitive data in a manner commensurate with its actual usage and sensitivity. In one example, we enabled a Fortune 100 organization on Google Cloud to delete over 25% of their cloud assets such as Projects, Identities, and production data without any business impact._“_

_“_The lack of credit card numbers in the breach notification isn’t exceptionally notable given that Mr Cooper doesn’t offer credit card facilities to its customers, and mortgage companies generally restrict credit card payments for mortgages. For other organizations that do, this may be a sign that they are leveraging an outsourced payment provider that tokenizes (i.e. replaces with a token) credit card numbers to secure them._“_

The announcement of the data breach at Mr. Cooper came just days after Delta Dental, a dental insurance provider based in Oak Brook, Illinois, United States, **revealed that it had experienced a data breach** affecting 7 million customers.

Nevertheless, impacted individuals are urged to be watchful for **phishing emails** that may falsely claim to originate from the company, claiming to provide new updates. However, the actual motive could be to exploit the situation and attempt to steal user data.

****_RELATED ARTICLES_****

1.  **Sensitive Data of 123 Million American Households Exposed​**
2.  **Hackers Claim Major Data Breach at Smart WiFi Provider Plume**
3.  **Mortgage Broker 8Twelve Exposes Data of Canadian Residents**
4.  **Sony Data Breach via MOVEit Vulnerability Affects Thousands in US**
5.  **Cybercriminals Selling Social Security Numbers of Infants on Dark Web**

Mortgage Giant Mr. Cooper Data Breach; 14 Million Users Impacted

Apple Security Advisory 12-11-2023-8 - watchOS 10.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-8 watchOS 10.2

watchOS 10.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214041.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accounts  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

ExtensionKit  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

ImageIO  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3quQACgkQX+5d1TXa  
IvoPPhAAgReQjt/dYzFqQbyMQQPLK1iDWh9s0M+PbHz5x+eS6vSX/OpkLNFy6MC1  
kHQI1EaV37/3sRqko8eX+f/deKqPi59tSV3BALedLV2v8F+4ioXIzsyGWsSYzor4  
U1l4h7fNA64060MR35dlvYnB2FsNnyVI6hlhEyfEEZXVMX4cX0KX5l5a7m/wKmQK  
tpDOak7WVEIj5aLk/e0IQBjpOJW8c2Moa8PTtERr1jJsp+PVrXNu9zZfHWhsCn02  
KPa26RRDtiru7KpXlRy2vzOQeCgJmRZH1CKVWKSiLEjTZnKWM1IF1LTYBJalDGbS  
nOvV6BcVD4rdbbi4cYlPic+Z65YKw+ctW0bNAgnim8RyOF28VNQX8DOcYKZnyqPS  
jYLG5rAq0oKtJztwDkIKc2nc0FrxZzV3f4QwTaFWbVzN0koYJJpVKDs5GgGQ/2MG  
4MtuxRuK2j5eibLInW33K58XCVpAidhiU5YaeIG5dbzf0YKXsUmKImmXap5SKnSe  
fwf6kEFR7keGiu8tlEOnBonDIOhFyWeiK785WhxdwrWMJNHQUegTTYItNrtrzaZr  
Q/lDfMQ9/1L38Jj/OuR1WSdBpDKmT9jepE2mLZb4fQasALJlGh9g1uFTaTl883QG  
uADzZx+TIGO2RIlMGPxwwr4+I2kpi1x/amwRjzCzvwr9+nQDyyk=  
=MttV  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-8

Apple Security Advisory 12-11-2023-7 - tvOS 17.2 addresses code execution and out of bounds read vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-7 tvOS 17.2

tvOS 17.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214040.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

AVEVideoEncoder  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may disclose sensitive information. Apple  
is aware of a report that this issue may have been exploited against  
versions of iOS before iOS 16.7.1.  
Description: An out-of-bounds read was addressed with improved input  
validation.  
WebKit Bugzilla: 265041  
CVE-2023-42916: Clément Lecigne of Google's Threat Analysis Group

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been exploited  
against versions of iOS before iOS 16.7.1.  
Description: A memory corruption vulnerability was addressed with  
improved locking.  
WebKit Bugzilla: 265067  
CVE-2023-42917: Clément Lecigne of Google's Threat Analysis Group

Additional recognition

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qngACgkQX+5d1TXa  
Ivrv3RAAuQY01CVjPIhf1IVMNryEZAW+NEm29U419ldBlHWNENHiXD7dF5cPNcDd  
fVlyxJ4zXCjIMflrS5oOGjqtsJvMfL99QaF9of5elxBjF8wA3d3bslESVveUw4/n  
OflBE44Ghbg2nNd/wQiiLCDWCbKyVk9R5Vm1c2L5+afg4dyppaNME4oxq7itnyjr  
UmNv7Sb2pxjjew0L9YAV15DaZmH30By6jRIKynS0+P1Eys/Vx3JVwC6QOOba6ixF  
OxO/Ki4vFAuwxnC9hGbYon6QTpMAuI0nzQAD/RYtpQMtkPkZ3dPPeA7DBs8TIxIo  
8QKfABYt5QY+VKFaTbNclzMu0/l/l3AcaZsbKTsyM1rEH8hACZKlkVQxQ3GhVXbe  
Hmc6JqOA+fpVJya7RUNCyo3Kq4jKf8Rgj+rDJyHSqZ8vEHr/qrLmgvEsHfhAPq46  
tUZMuVrHtcREKzxLh2Os4hCs68kcEG3w9Q2n5a5UHskLBYimhFTsp5ajClNC1l1w  
KiVW8SmDL7zt5ApNWRNa1Pc3ZxvAUousVbuMWt6VP40mz9AHKs8VsoscMwQkzscs  
OMkrHUJdQfki+GLsd4Zk54/VjQR1CFtr1xBPZkKPW4WCinjAiw73fuOCzTz4f+rZ  
Dwvd0BGIGPWaRewZhcxPXrSHDj91bbBLRkOPn5JVDkbP3eXRbAU=  
=IKXm  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-7

Apple Security Advisory 12-11-2023-4 - macOS Sonoma 14.2 addresses code execution, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-12-11-2023-4 macOS Sonoma 14.2

macOS Sonoma 14.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214036.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Accessibility  
Available for: macOS Sonoma  
Impact: Secure text fields may be displayed via the Accessibility  
Keyboard when using a physical keyboard  
Description: This issue was addressed with improved state management.  
CVE-2023-42874: Don Clarke

Accounts  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42919: Kirin (@Pwnrin)

AppleEvents  
Available for: macOS Sonoma  
Impact: An app may be able to access information about a user's contacts  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42894: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

AppleGraphicsControl  
Available for: macOS Sonoma  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination or arbitrary code execution  
Description: Multiple memory corruption issues were addressed with  
improved input validation.  
CVE-2023-42901: Ivan Fratric of Google Project Zero  
CVE-2023-42902: Ivan Fratric of Google Project Zero, and Michael  
DePlante (@izobashi) of Trend Micro Zero Day Initiative  
CVE-2023-42912: Ivan Fratric of Google Project Zero  
CVE-2023-42903: Ivan Fratric of Google Project Zero  
CVE-2023-42904: Ivan Fratric of Google Project Zero  
CVE-2023-42905: Ivan Fratric of Google Project Zero  
CVE-2023-42906: Ivan Fratric of Google Project Zero  
CVE-2023-42907: Ivan Fratric of Google Project Zero  
CVE-2023-42908: Ivan Fratric of Google Project Zero  
CVE-2023-42909: Ivan Fratric of Google Project Zero  
CVE-2023-42910: Ivan Fratric of Google Project Zero  
CVE-2023-42911: Ivan Fratric of Google Project Zero  
CVE-2023-42926: Ivan Fratric of Google Project Zero

AppleVA  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42882: Ivan Fratric of Google Project Zero

Archive Utility  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42924: Mickey Jin (@patch1t)

AVEVideoEncoder  
Available for: macOS Sonoma  
Impact: An app may be able to disclose kernel memory  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42884: an anonymous researcher

Bluetooth  
Available for: macOS Sonoma  
Impact: An attacker in a privileged network position may be able to  
inject keystrokes by spoofing a keyboard  
Description: The issue was addressed with improved checks.  
CVE-2023-45866: Marc Newlin of SkySafe

CoreMedia Playback  
Available for: macOS Sonoma  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with improved checks.  
CVE-2023-42900: Mickey Jin (@patch1t)

CoreServices  
Available for: macOS Sonoma  
Impact: A user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2023-42886: Koh M. Nakagawa (@tsunek0h)

ExtensionKit  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)

Find My  
Available for: macOS Sonoma  
Impact: An app may be able to read sensitive location information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)

ImageIO  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42898: Junsung Lee  
CVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung Lee

IOKit  
Available for: macOS Sonoma  
Impact: An app may be able to monitor keystrokes without user permission  
Description: An authentication issue was addressed with improved state  
management.  
CVE-2023-42891: an anonymous researcher

Kernel  
Available for: macOS Sonoma  
Impact: An app may be able to break out of its sandbox  
Description: The issue was addressed with improved memory handling.  
CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv  
(@Synacktiv)

ncurses  
Available for: macOS Sonoma  
Impact: A remote user may be able to cause unexpected app termination or  
arbitrary code execution  
Description: This issue was addressed with improved checks.  
CVE-2020-19185  
CVE-2020-19186  
CVE-2020-19187  
CVE-2020-19188  
CVE-2020-19189  
CVE-2020-19190

SharedFileList  
Available for: macOS Sonoma  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with improved checks.  
CVE-2023-42842: an anonymous researcher

TCC  
Available for: macOS Sonoma  
Impact: An app may be able to access protected user data  
Description: A logic issue was addressed with improved checks.  
CVE-2023-42932: Zhongquan Li (@Guluisacat)

Vim  
Available for: macOS Sonoma  
Impact: Opening a maliciously crafted file may lead to unexpected  
application termination or arbitrary code execution  
Description: This issue was addressed by updating to Vim version  
9.0.1969.  
CVE-2023-5344

WebKit  
Available for: macOS Sonoma  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 259830  
CVE-2023-42890: Pwn2car

WebKit  
Available for: macOS Sonoma  
Impact: Processing an image may lead to a denial-of-service  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 263349  
CVE-2023-42883: Zoom Offensive Security Team

Additional recognition

Memoji  
We would like to acknowledge Jerry Tenenbaum for their assistance.

Wi-Fi  
We would like to acknowledge Noah Roskin-Frazee and Prof. J.  
(ZeroClicks.ai Lab) for their assistance.

macOS Sonoma 14.2 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qdUACgkQX+5d1TXa  
Ivp5JQ/9FhhIgATXMT6vd3gK4Bqn3JRODRK+rBcNBjb0zMKWh42fXqZA81K86Ksv  
FB6/OxqYmdo9NI2g7VMj0I7vS8cQf2ZE0sjSYObkuZ32As5y7Ov+xvNnrCjLuwV3  
vrDlBFRRS7KWNskNEV4ciT+ECHUYU6Jkrpt/TqpmR/B/fFxNfjE2Ibeuy56CSlGi  
FYCasHeyI5pC4kfetYG6Jo7RwcK1nCbNWHB3+zKQItvkkwV3nVBF+QjJGD/aEzz3  
X8Jp/hf3taYesK45lr6HWGcuuAGLAAYkjfxz8lLYDQ4AoQ5Xi9WCTjEX9shdKgoF  
oo1JQDCEuhLXK+1vOxoYEmUAKMRQMMlRMtZgft8hPh6Pce8gYcI0Rez3RT5+m2+U  
C7d0+97gnpssZkq2JRdyjogl5ACNHGD81jBHg33PppnjTptKNn8JSyXIZLBM3zK/  
jQRLmEAlJkl6MgnWKiy+pyzPxCsoFJnOJG481sLTEfQbiQONFIUV3YTesxbIv2a0  
8yAM0cFf5cqF6frS81zn8vYfdPJU6HJ3OQGmumLQ4UJAbWY7zg9XbyyZTFw2woGj  
0IvoSEBuP4e25JznB1/nchP7W4MJ9VfAzMe/MyBqOibHgomkY1UQqdvWz7olK3Bb  
5NkKt5PVTVjAH+R5wVnnXPlWq7Rgfg2m0Y9g3FwTm4WPrIUT5Us=  
=c6Yv  
-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-4

Apple Security Advisory 12-11-2023-2 - iOS 17.2 and iPadOS 17.2 addresses code execution and spoofing vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-12-11-2023-2 iOS 17.2 and iPadOS 17.2iOS 17.2 and iPadOS 17.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT214035.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.AccountsAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42919: Kirin (@Pwnrin)AVEVideoEncoderAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to disclose kernel memoryDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42884: an anonymous researcherBluetoothAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker in a privileged network position may be able toinject keystrokes by spoofing a keyboardDescription: The issue was addressed with improved checks.CVE-2023-45866: Marc Newlin of SkySafeEntry added December 11, 2023ExtensionKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to access sensitive user dataDescription: A privacy issue was addressed with improved private dataredaction for log entries.CVE-2023-42927: Noah Roskin-Frazee and Prof. J. (ZeroClicks.ai Lab)Find MyAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to read sensitive location informationDescription: This issue was addressed with improved redaction ofsensitive information.CVE-2023-42922: Wojciech Regula of SecuRing (wojciechregula.blog)ImageIOAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.CVE-2023-42898: Junsung LeeCVE-2023-42899: Meysam Firouzi @R00tkitSMM and Junsung LeeKernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An app may be able to break out of its sandboxDescription: The issue was addressed with improved memory handling.CVE-2023-42914: Eloi Benoist-Vanderbeken (@elvanderb) of Synacktiv(@Synacktiv)Safari Private BrowsingAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Private Browsing tabs may be accessed without authenticationDescription: This issue was addressed through improved state management.CVE-2023-42923: ARJUN S DSiriAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: An attacker with physical access may be able to use Siri toaccess sensitive user dataDescription: The issue was addressed with improved checks.CVE-2023-42897: Andrew Goldberg of The McCombs School of Business, TheUniversity of Texas at Austin (linkedin.com/andrew-goldberg-/)WebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary code executionDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 259830CVE-2023-42890: Pwn2carWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,and iPad mini 5th generation and laterImpact: Processing an image may lead to a denial-of-serviceDescription: The issue was addressed with improved memory handling.WebKit Bugzilla: 263349CVE-2023-42883: Zoom Offensive Security TeamAdditional recognitionSafari Private BrowsingWe would like to acknowledge Joshua Lund of Signal Technology Foundationfor their assistance.Setup AssistantWe would like to acknowledge Aaron Gregory of Acoustic.com and EasternIllinois University – Graduate School of Technology for theirassistance.WebKitWe would like to acknowledge 椰椰 for their assistance.Wi-FiWe would like to acknowledge Noah Roskin-Frazee and Prof. J.(ZeroClicks.ai Lab) for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.2 and iPadOS 17.2".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmV3qS0ACgkQX+5d1TXaIvpuvRAAsTLfKiqLQl5qptq6yCPw8oPdttsnGkfZG//ISfcC46tZQI0BGjdFTEww2QUYOde00FMqk99ubD0/lE7gs/BdVP+1cSiG90FfZsHt/q0Jm+eIbhIsQdCs8eLcBOVAdPRLCJ1kdD13zbpnHH+IoZUPVTlY4gVo5ps1DP1iOHBWMN2ks3RNW7+NQ3ygCxyCs9qLce+zC7p69rCbCSvqmdEfC7OZ2tEFwELJcWgDDzVpa9nxBMSXp67qvFamSHsdZu+mBOyDpgRaQ77s/LL6Aj/EUzGoqu9j0K+fYht/prPtswa7mBvqi3qXyJUUW1TqQzquo3jRoestFuyuLol9PsufcJB2HbsswT/9qaYx9fO6g6M3uj3fu9NkojPtO45gxHkaIcO/h0ixpGrjg8ZlfKTkGN7DoQ97pv+DxUrhIFskUKRZLF5Xb6B5mztLBu5UePYRPVHi9qe48qN8/g7X8z9VvzmR++ns45ODRns7/PH8DHlJXa8+xoJkn+9nL2Q9x7zkcD/YNbgMstROhtbqczk1tSbqF+J9tnKC+PzW+vhBwDMat8h+jC7QKPh0d9oTBNiqhECRlb+6OewTf5f1UBbrgjGOvk/xgz+RS96aAOUNkcoJ6WDXcSlga3ERMO1jBqle3G3LlSvTqtwJ53PHnzBMogk1m5Bo0OSOJYjIOczKm3g==71FW-----END PGP SIGNATURE-----

Apple Security Advisory 12-11-2023-2

Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities.
This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer (UBSan), a tool designed to catch various kinds of

Mobile Communication / Firmware security

Google is highlighting the role played by Clang sanitizers in hardening the security of the cellular baseband in the Android operating system and preventing specific kinds of vulnerabilities.

This comprises Integer Overflow Sanitizer (IntSan) and BoundsSanitizer (BoundSan), both of which are part of UndefinedBehaviorSanitizer (UBSan), a tool designed to catch various kinds of undefined behavior during program execution.

"They are architecture agnostic, suitable for bare-metal deployment, and should be enabled in existing C/C++ code bases to mitigate unknown vulnerabilities," Ivan Lozano and Roger Piqueras Jover said in a Tuesday post.

UPCOMING WEBINAR

Beat AI-Powered Threats with Zero Trust - Webinar for Security Professionals

Traditional security measures won't cut it in today's world. It's time for Zero Trust Security. Secure your data like never before.

Join Now

The development comes months after the tech giant said it's working with ecosystem partners to increase the security of firmware that interacts with Android, thereby making it difficult for threat actors to achieve remote code execution within the Wi-Fi SoC or the cellular baseband.

IntSan and BoundSan are two of the compiler-based sanitizers that Google has enabled as an exploit mitigation measure to detect arithmetic overflows and perform bounds checks around array accesses, respectively.

Google acknowledged that while both BoundSan and IntSan incur a substantial performance overhead, it has enabled it in security-critical attack surfaces ahead of a full-fledged rollout over the entire codebase. This covers -

*   Functions parsing messages delivered over the air in 2G, 3G, 4G, and 5G
*   Libraries encoding/decoding complex formats (e.g., ASN.1, XML, DNS, etc.)
*   IMS, TCP, and IP stacks, and
*   Messaging functions (SMS, MMS)

"In the particular case of 2G, the best strategy is to disable the stack altogether by supporting Android's '2G toggle,'" the researchers said. "However, 2G is still a necessary mobile access technology in certain parts of the world and some users might need to have this legacy protocol enabled."

It's worth noting that the "tangible" benefits arising out of deploying sanitizers notwithstanding, they do not address other classes of vulnerabilities, such as those related to memory safety, necessitating a transition of the codebase to a memory-safe language like Rust.

In early October 2023, Google announced that it had rewritten the Android Virtualization Framework's (AVF) protected VM (pVM) firmware in Rust to provide a memory-safe foundation for the pVM root of trust.

"As the high-level operating system becomes a more difficult target for attackers to successfully exploit, we expect that lower level components such as the baseband will attract more attention," the researchers concluded.

"By using modern toolchains and deploying exploit mitigation technologies, the bar for attacking the baseband can be raised as well."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Using Clang Sanitizers to Protect Android Against Cellular Baseband Vulnerabilities

In GL.iNET GL-AR300M routers with firmware 3.216 it is possible to inject arbitrary shell commands through the OpenVPN client file upload functionality.

**Inspiring a Smarter Lifestyle for Families and Enterprises Across the World.**

GL.iNet is a leading developer of OpenWrt Wi-Fi and IoT Network Solutions. We build Wi-Fi routers, IoT gateways and remote device management platforms for a wide range of scenarios. We believe all successful businesses build upon a strong and secure foundation, which is why our engineers are passionate about understanding your needs and utilizing their expertise to tailor reliable and secure network architecture that solve your problems.

**Explore GL.iNet Products in Different Fields**

Our engineers work hard to create top-of-the-line manufacturing solutions for your customized needs

**Cellular Connectivity**

Multi-protocols IoT Gateways that provides LTE connectivity for IoT sensor devices

LEARN MORE

**GoodCloud**

Device Management, data collection, processing and visualization of your IoT project

LEARN MORE

**Site-to-Site**

Remote access to your internal business network securely

LEARN MORE

**White Label Service**

Customize networking devices and software on demand

LEARN MORE

**RV Connectivity**

Unmatched Connectivity on Your RV Adventures with Our Multi-WAN Router

LEARN MORE

**WiFi 6 & 5G NR Network**

Unleash the Power of WiFi 6 & 5G NR Technology

LEARN MORE

**VPN on Routers**

The Best Commercial VPN Service Providers in 2023

LEARN MORE

**In the news**

We are proud that others have found our products as interesting and exciting as we do.

Tag

#wifi