Oktacron logo
Cyber security aggregate rss news

Cyber security aggregator - feeds history
image for How Apple’s Lockdo ...

 Technology

In July 2022, Apple announced a new protection feature for its devices. Called Lockdown Mode, it severely restricts the functionality of your Apple smartphone, tablet or laptop. Its purpose is to reduce the success rate of targeted attacks, which politicians, activists and journalists, among others, are subjected to.   show more ...

Lockdown Mode is set to appear in the upcoming releases of iOS 16 (for smartphones), iPadOS 16 (for tablets) and macOS 13 Ventura (for desktops and laptops). For ordinary users, this operating mode is likely to cause more of an inconvenience than actual good. For this reason, Apple recommends it only to users whose activities mean they are likely to face targeted attacks. In this post, we analyze the ins and outs of Lockdown Mode, compare the new restrictions with the capabilities of well-known exploits for Apple smartphones and examine why this mode, although useful, is no silver bullet. Lockdown Mode in detail Before the end of this year, with the release of the new versions of iOS, your Apple smartphone or tablet (if relatively recent, that is, no earlier than 2018) will have the new Lockdown Mode in its settings. Lockdown Mode activation screen on an Apple smartphone. Source After activation, the phone will reboot, and some small (but, for some people, vital) features will stop working. For example, iMessage attachments will be blocked and websites may stop working properly in the browser. It will be harder to reach you by people youve had no contact with before. All of these restrictions are an effort to close the entry points most commonly exploited by attackers. Digging deeper, Lockdown Mode introduces the following restrictions on your Apple device: In iMessage chats, you can see only text and images sent to you. All other attachments will be blocked. Some technologies will be disabled in the browsers, including just-in-time compilation. All incoming invitations to communicate through Apple services will be blocked. For example, you will be unable to make a FaceTime call if you have not previously chatted with the other user. If locked, your smartphone will not interact in any way with your computer (or other external devices connected with a cable). It wont be possible to install configuration profiles or enroll the phone into Mobile Device Management (MDM). The first three measures aim to limit the most common remote targeted attack vectors on Apple devices: an infected iMessage, a link to a malicious website and an incoming video call. The fourth is designed to protect from connecting your iPhone, if left unattended, to a computer and having any valuable information stolen through a vulnerability in the communication protocol. And the fifth restriction makes it impossible to connect a smartphone in Lockdown Mode to an MDM system. Normally, companies often use MDM for security purposes, such as deleting information on a lost phone. But this feature can also be used to steal data, since it gives the MDM administrator wide-ranging control over the device. All in all, Lockdown Mode sounds like a good idea. Maybe we should all put up with some inconvenience to stay safe? Features versus bugs Before addressing this question, lets assess how radical Apples solution actually is. If you think about it, its the exact opposite of all established norms in the industry. Usually, it goes like this: first, a developer comes up with a new feature, rolls it out and then wrestles to rid the code of bugs. With Lockdown Mode, on the other hand, Apple proposes giving up a handful of existing features for the sake of better protection. A simple (and purely theoretical) example: suppose the maker of a messenger app adds the ability to exchange beautiful animated emojis, and even create your own. Then it turns out that its possible to create an emoji that causes the devices of all recipients to constantly reboot. Not nice. To avoid this, the feature should have been scrapped, or had more time spent on vulnerability analysis. But it was more important to release and monetize the product as quickly as possible. In this behind-the-scenes struggle between security and convenience, the latter always won. Until now — for Apples new mode places security ahead of everything else. Theres only one word to describe it: cool. Does it mean that iPhones without Lockdown Mode are unsafe? Apple mobile devices are already pretty secure, which is important in the context of this announcement. Stealing data from an iPhone isnt easy, and Apple is bending over backwards to keep it that way. For example, your biometric information for unlocking your phone is stored only on the device and is not sent to the server. Data in the phones storage is encrypted. Your PIN to unlock the phone cannot be brute-forced: after several wrong attempts, the device is locked. Smartphone apps run in isolation from each other and cannot, generally speaking, access data stored by other apps. Hacking an iPhone is getting harder every year. For most users, this level of security is more than sufficient. So why add yet more protection? The question concerns a fairly small number of users whose data is so valuable that those who want it are prepared to go to extraordinary lengths to get it. Extraordinary lengths in this context means spending a lot of time and money on developing complex exploits able to bypass known protection systems. Such sophisticated cyberattacks threaten only a few tens of thousands people in the whole world. This ballpark figure is known to us from Pegasus Project. In 2020, a list was leaked of some 50,000 names and phone numbers of individuals who allegedly had (or could have) been attacked using a piece of spyware developed by NSO Group. This Israeli company has long been criticized for its legal development of hacking tools for clients, who include many intelligence agencies worldwide. NSO Group itself denied any link between its solutions and the leaked list of targets, but evidence later emerged that activists, journalists and politicians (all the way up to heads of state and government) had indeed been attacked using the companys technologies. Developing exploits, even legally, is a dodgy business that can result in the leakage of extremely dangerous attack methods, which anyone can then use. How sophisticated are exploits for iOS? The complexity of these exploits can be gauged by looking at a zero-click attack that Googles Project Zero team investigated at the end of last year. Normally, the victim at least has to click a link to activate the attackers malware, but zero-click means that no user action is required to compromise the targeted device. Particularly in the case described by Project Zero, it is sufficient to send a malicious message to the victim in iMessage, which on most iPhones is enabled by default and replaces regular texts. In other words, it is enough for an attacker to know the victims phone number and send a message, whereupon they gain remote control over targeted device. The exploit is very complicated. In iMessage, the victim receives a file with the GIF extension, that is actually not a GIF at all but rather a PDF compressed using certain algorithm that was fairly popular back in the early 2000s. The victims phone attempts to show a preview of this document. In most cases, Apples own code is used for this, but for this particular compression a third-party program is employed. And in it, a vulnerability was found — a not particularly remarkable buffer overflow error. To put it as simply as possible, built around this minor vulnerability is a separate and independent computational system, which ultimately executes malicious code. In other words, the attack exploits a number of non-obvious flaws in the system, each of which seems insignificant in isolation. However, if they are strung together in a chain, the net result is iPhone infection by means of a single message, with no user clicks required. This, quite frankly, is not something a teenage hacker might accidentally stumble across. And not even what a team of regular malware writers might create: they are usually after a much more direct route to monetization. Such a sophisticated exploit must have required many thousands of hours and many millions of dollars to create. But lets remember a key feature of Lockdown Mode mentioned above: almost all attachments are blocked. This is precisely to make zero-click attacks far harder to pull off, even if the iOS code does contain the corresponding bug. The remaining features of Lockdown Mode are there to close other common entry points for targeted attacks: web browser, wired connection to a computer, incoming FaceTime calls. For these attack vectors, there already exist quite a few exploits, though not necessarily in Apple products. What are the chances of such an elaborate attack being deployed against you personally if you are not on the radar of intelligence services? Pretty much zero unless you get hit by accident. Therefore, for the average user, using Lockdown Mode doesnt make much sense. There is little point in making your phone or laptop less usable in exchange for a slight decrease in the chances of being at the end of a successful attack. Not by lockdown alone On the other hand, for those who are in the circle of potential targets of Pegasus and similar spyware, Apples new Lockdown Mode is certainly a positive development, but not a silver bullet. In addition to (and, until its release, instead of) Lockdown Mode, our experts have a few other recommendations. Keep in mind, this is about a situation in which someone very powerful and very determined is hunting for your data. Here are a few tips: Reboot your smartphone daily. Creating an iPhone exploit is already hard, making it resistant to a reboot is much harder. Turning off your phone regularly will provide a little more protection. Disable iMessage altogether. Apple is unlikely to recommend this, but you can do it yourself. Why just reduce the chances of an iMessage attack when you can eliminate the whole threat in one fell swoop? Do not open links. In this case, it doesnt even matter who sent them. If you really need to open a link, use a separate computer and preferably the Tor browser, which hides your data. If possible, use a VPN to mask your traffic. Again, this will make it harder to determine your location and harvest data about your device for a future attack. For more tips, see Costin Raius post Staying safe from Pegasus, Chrysaor and other APT mobile malware.

 Malware and Vulnerabilities

Microsoft warned against threat actors increasingly using malicious IIS web server extensions to backdoor unpatched Exchange servers. Between January and May, the attackers targeted several servers to access victims' email mailboxes, steal credentials and sensitive data, and run commands. IIS modules are usually not used as backdoors as compared to general web application threats such as web shells. 

 Trends, Reports, Analysis

In its latest report, Vade provided a ranking of the top 25 most impersonated brands in phishing attacks. Microsoft came in at #1 on the list, followed by Facebook. Rounding out the top five are Crédit Agricole, WhatsApp, and Orange.

 Trends, Reports, Analysis

According to researchers, Subzero is similar to Pegasus in functionality and allows attackers to remotely and silently break into a victim’s computer, phone, network infrastructure, and IoT devices.

 Malware and Vulnerabilities

Experts discovered eerie similarities between LockBit 3.0 and BlackMatter from overlaps in harvesting and privilege escalation routines and the use of anti-debugging and threading to disrupt analysis. There are a couple of major differences as well, but not sufficient to overshadow the probability of two groups   show more ...

collaborating. Organizations are suggested to erect a multilayered approach to harden their entry points such as an email, endpoint, network, and web.

 Trends, Reports, Analysis

SonicWall recorded 2.8 billion malware hits globally, in H1 2022, marking an 11% rise over 2021. This amounts to an average of 8,240 malware attempts per target. This is the first recorded rise in three years.

 Malware and Vulnerabilities

Researchers have highlighted new malware campaigns that are targeting MS SQL servers to install proxyware and earn money by sharing their victim’s network bandwidth. Proxyware operators targets MS SQL servers because they are located in corporate networks or data centers with plenty of internet bandwidth.

 Feed

Ubuntu Security Notice 5542-1 - It was discovered that Samba did not handle MaxQueryDuration when being used in AD DC configurations, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. Luke Howard discovered that Samba incorrectly handled certain restrictions associated with changing passwords. A   show more ...

remote attacker being requested to change passwords could possibly use this issue to escalate privileges.

 Feed

Red Hat Security Advisory 2022-5770-01 - Mozilla Thunderbird is a standalone mail and newsgroup client. This update upgrades Thunderbird to version 91.12.0. Issues addressed include a spoofing vulnerability.

 Feed

Red Hat Security Advisory 2022-5767-01 - Mozilla Firefox is an open-source web browser, designed for standards compliance, performance, and portability. This update upgrades Firefox to version 91.12.0 ESR. Issues addressed include a spoofing vulnerability.

 Feed

The operators of the Gootkit access-as-a-service (AaaS) malware have resurfaced with updated techniques to compromise unsuspecting victims. "In the past, Gootkit used freeware installers to mask malicious files; now it uses legal documents to trick users into downloading these files," Trend Micro researchers Buddy Tancio and Jed Valderama said in a write-up last week. The findings

 Feed

A 24-year-old Australian national has been charged for his purported role in the creation and sale of spyware for use by domestic violence perpetrators and child sex offenders. Jacob Wayne John Keen, who currently resides at Frankston, Melbourne, is said to have created the remote access trojan (RAT) when he was 15, in addition to working as the administrator for the tool from 2013 until its

 Feed

Researchers have uncovered a list of 3,207 apps, some of which can be utilized to gain unauthorized access to Twitter accounts. The takeover is made possible, thanks to a leak of legitimate Consumer Key and Consumer Secret information, respectively, Singapore-based cybersecurity firm CloudSEK said in a report exclusively shared with The Hacker News. "Out of 3,207, 230 apps are leaking all four

 Feed

Now more than ever, organizations need to enable their development teams to build and grow their security skills. Today organizations face a threat landscape where individuals, well-financed syndicates, and state actors are actively trying to exploit errors in software. Yet, according to recent global research, 67% of developers that were interviewed said they were still shipping code they knew

2022-08
Aggregator history
Monday, August 01
MON
TUE
WED
THU
FRI
SAT
SUN
AugustSeptemberOctober