Apple Archives – Gridinsoft Blog https://gridinsoft.com/blogs/tag/apple/ Welcome to the Gridinsoft Blog, where we share posts about security solutions to keep you, your family and business safe. Tue, 26 Mar 2024 16:40:09 +0000 en-US hourly 1 https://wordpress.org/?v=70606 200474804 GoFetch Vulnerability in Apple Silicon Uncovered https://gridinsoft.com/blogs/gofetch-vulnerability-apple-silicon/ https://gridinsoft.com/blogs/gofetch-vulnerability-apple-silicon/#respond Tue, 26 Mar 2024 15:03:15 +0000 https://gridinsoft.com/blogs/?p=20741 Researchers uncovered a vulnerability in Apple Silicon processors, dubbed GoFetch. It allows attackers to extract secret keys from Mac computers while performing widespread cryptographic operations. Notably, it is practically impossible to patch the flaw as it stems from the microarchitecture of the processor. Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys Researchers have discovered… Continue reading GoFetch Vulnerability in Apple Silicon Uncovered

The post GoFetch Vulnerability in Apple Silicon Uncovered appeared first on Gridinsoft Blog.

]]>
Researchers uncovered a vulnerability in Apple Silicon processors, dubbed GoFetch. It allows attackers to extract secret keys from Mac computers while performing widespread cryptographic operations. Notably, it is practically impossible to patch the flaw as it stems from the microarchitecture of the processor.

Apple Silicon Vulnerability Allows Hackers to Extract Encryption Keys

Researchers have discovered a vulnerability in Apple’s self-made M-series processors. Under certain conditions, this vulnerability allows cryptographic information to be stolen from the processor cache. Modern computing devices use a hardware optimization called the DMP (data memory-dependent prefetcher). It reduces latency between the main memory and the CPU by predicting memory addresses and loading their contents into the CPU cache before they’re needed. By exploiting the flawed mechanism of cryptography operations handling, attackers can recover private encryption keys piece-by-piece.

Unlike more common vulnerabilities, developers can’t directly fix this flaw with a software patch. This issue at hand is linked to the microarchitecture design of the silicon itself. The only way to mitigate this vulnerability is to build defenses into third-party cryptographic software. Yet this workaround may have serious performance impact, with older M1 and M2 chips suffering the worst losses.

Understanding GoFetch Attack

Let’s take a closer look at how this attack works. The attack is called GoFetch, and relies on classical and quantum-resistant encryption algorithms. As mentioned, it exploits a vulnerability in Apple processors related to DMP (data memory-dependent prefetcher). This next-generation prefetcher is only used in Apple and Intel Raptor Lake processors, loading memory contents into the cache before they are needed. So, GoFetch can be exploited if the target cryptographic operation is a malicious application with standard user privileges. By the way, these privileges are available to most applications running in the same CPU cluster.

The vulnerability stems from the prefetcher’s ability to load data into the CPU cache with a pointer to load other data. DMP sometimes confuses memory contents and loads the wrong data into the CPU cache. The problem is that the vulnerability completely neutralizes the effect of constant-time protection. This should by design protect against side-channel and cache-related CPU attacks. This protection ensures that all operations take the same time, regardless of their operands. However, due to the vulnerability, applications exploiting GoFetch can put sensitive data in the cache, and a malicious application can steal it.

How Dangerous It Really Is?

When executed on the same core cluster (efficient or performance) with cryptographic operations, GoFetch reaches its peak efficiency. As far as analysis shows, it can effectively hack both current and next-gen encryption techniques.

As for exact numbers, GoFetch takes less than an hour to extract a 2048-bit RSA key and just over two hours to extract a 2048-bit Diffie-Hellman key. An attack to extract the material needed to assemble a Kyber-512 key takes 54 minutes. The Dilithium-2 key would require about 10 hours, not counting the time needed to process the raw data offline.

Experimental results of four cryptographic attack PoCs screenshot
Experimental results of four cryptographic attack PoCs. (source: ArsTechnica)
Unfortunately, to assess if an implementation is vulnerable, cryptanalysis and code inspection are required to understand when and how intermediate values can be made to look like pointers in a way that leaks secrets. This process is manual and slow and does not rule out other attack approaches.the researchers

Unpatchable Vulnerability

The main problem is that fixing this vulnerability by patching is impossible. This flaw sits in the Apple Silicon chip architecture. The only way out is through software protections and embedding patches in third-party cryptographic software, that avoids using the vulnerable mechanism. However, as I said, this will slow down cryptography operations on M1 and M2 and will throw a spanner in the developers’ work.

Aside from purely software workarounds, it is theoretically possible to run cryptographic processes on efficiency cores, which do not have DMP. Though this will impact performance as well, as E-cores were never meant to be fast, and the flawed mechanism itself brought quite a bit of speed-up. Experts emphasize that the performance drop will be felt if the affected software performs certain cryptographic operations only. At the same time, when working in browsers and many other types of applications, users will never notice changes.

It is worth noting that Intel Raptor Lake architecture (which includes 13th and 14th generation processors) does not have this vulnerability despite using the same prefetching mechanism as Apple’s M-series processors. The M3 processor is less susceptible, as it has a special “switch” that developers can use to disable DMP. However, it is still unclear how much performance degradation will occur when this functionality is disabled.

Read more on the hardware vulnerabilities in CPUs. We particularly wrote about Reptar vulnerability in Intel CPUs back in 2023. There are also two attack vectors actual for older AMD processors.

The post GoFetch Vulnerability in Apple Silicon Uncovered appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/gofetch-vulnerability-apple-silicon/feed/ 0 20741
New iOS Vulnerability Allows “Triangulation” Attack https://gridinsoft.com/blogs/ios-zeroclick-vulnerability-triangulation/ https://gridinsoft.com/blogs/ios-zeroclick-vulnerability-triangulation/#respond Thu, 01 Jun 2023 18:49:48 +0000 https://gridinsoft.com/blogs/?p=14958 New iOS vulnerability allows executing a zero-click malware delivery through the built-in iMessage messenger. The breach was discovered by Kaspersky analytics team, and appears to touch almost every user of Apple smartphones. Experts dubbed the malware “Triangulation”. iOS Exploit Allows Zero-Click Infection Probably, the worst case scenario for any target of cyberattack is the infection… Continue reading New iOS Vulnerability Allows “Triangulation” Attack

The post New iOS Vulnerability Allows “Triangulation” Attack appeared first on Gridinsoft Blog.

]]>
New iOS vulnerability allows executing a zero-click malware delivery through the built-in iMessage messenger. The breach was discovered by Kaspersky analytics team, and appears to touch almost every user of Apple smartphones. Experts dubbed the malware “Triangulation”.

iOS Exploit Allows Zero-Click Infection

Probably, the worst case scenario for any target of cyberattack is the infection performed without any action from the victim. And this is it – a crafted iMessage can trigger the malware injection to the device, leaving the user no chance to react. According to the report issued by Kaspersky, the breach is used to install a spyware dubbed Triangulation. Thing is, analysts discovered this trojan running in the iPhones of the company’s top executives.

Triangulation spyware is capable of things typical for malware of its class that aims at mobile devices. It allows for remote microphone enabling, gathering information about activity hours, geolocation, and grabbing photos and files from messengers. The worst thing here is that Triangulation is particularly hard to stop or remove – to some extent because of specific iOS characteristics.

Triangulation Trojan Is Very Tough to Find and Remove

As any other spyware, this one tries to stay as stealthy as possible. The only visible sign of its activity is disabled updates – at least this is what analysts discovered while examining the case. In iOS 14, Apple introduced a feature that displays when your mic or camera is in use, and also shows which app uses it. Though, it does not look like Triangulation triggers that mechanism, either because of a certain trick with OS settings or through enabling the mic during the use of other apps.

Triangulation disabled updates
One of the signs of Triangulation malware activity – disabled updates

Since iOS keeps its files closed from external view, it is hard to use specialised software to uncover the malware running in the system. Moreover, this makes its removal even more difficult. The mentioned report says that the only probable way to remove Triangulation trojan from the device is to reset the phone to factory settings. And it is suboptimal – such a harsh operation wipes all user files as well. And each minute spent with an infected device can mean more and more personal data leaked to the unwanted party.

What can I do?

Frankly, it is quite unusual to give such advice to iOS users. For a long time, this operating system was considered one, if not the most secure OS. Zero-day vulnerabilities or clickless exploits were happening earlier, but Apple issued hotfixes pretty quickly. Though this time, neither the list of vulnerable iOS versions nor hotfixes are available. I hope to see a new-style Rapid Security Response patch Apple introduced in the past month. But now, here is what you can do to protect from Triangulation trojan attack.

Perform a periodic checkup of your device. Potentially, the victims in Kaspersky team were simply ignorant to the mic/camera usage notifications that were appearing on the screen. Either way, keeping eye on what your iPhone tries to tell you is important – sometimes simply to uncover a legit app that uses your mic excessively.

Another place you can peek into is the Updates section in Settings. Since the malware reportedly disables updating functions, it may be an obvious sign for the user. Even if you disabled it willingly, it is recommended to turn them back on. Apple is doing its best to keep their devices secure, and the new updates policy is a perfect confirmation to that.

iOS updates
Be sure your iPhone is up to date

To continue the previous paragraph – keep an eye on the most recent iOS updates and install all security patches available. Sometimes, the company releases fixes even for older OS versions, especially if the vulnerability is critical and exploited in the wild. As you can see, sometimes being careful and avoiding muddy waters may be not enough, because you simply cannot avoid a thing you cannot even see.

The post New iOS Vulnerability Allows “Triangulation” Attack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ios-zeroclick-vulnerability-triangulation/feed/ 0 14958
Cryptocurrency Scam “Pig Butchering” Penetrated the Apple App Store and Google Play Store https://gridinsoft.com/blogs/scam-pig-butchering/ https://gridinsoft.com/blogs/scam-pig-butchering/#respond Fri, 03 Feb 2023 10:32:17 +0000 https://gridinsoft.com/blogs/?p=13292 The Pig Butchering scam, a scam operation that specializes in fake investments in allegedly promising cryptocurrency projects, stocks, bonds, futures and options, was found in the Apple and Google app stores. Such attacks are called “pig slaughter”, and scammers use social engineering against their victims (“pigs”), finding contact with them on social networks and dating… Continue reading Cryptocurrency Scam “Pig Butchering” Penetrated the Apple App Store and Google Play Store

The post Cryptocurrency Scam “Pig Butchering” Penetrated the Apple App Store and Google Play Store appeared first on Gridinsoft Blog.

]]>

The Pig Butchering scam, a scam operation that specializes in fake investments in allegedly promising cryptocurrency projects, stocks, bonds, futures and options, was found in the Apple and Google app stores.

Such attacks are called “pig slaughter”, and scammers use social engineering against their victims (“pigs”), finding contact with them on social networks and dating applications.

You might also be interested in our article: 12 Instagram Scams to Know and Avoid in 2023.

Pig Butchering is a relatively new phenomenon. For example, the FBI first warned users against such fraud last fall. Then law enforcement officers explained that this is a very profitable scheme used by scammers around the world.

We also wrote that Ukrainian Cyber Police and Europol Arrested Fraudsters Involved in Pig Butchering.

Law enforcers reported that scammers use social engineering and get in touch with people (“pigs”) on social networks and dating apps. Over time, perpetrators gain the trust of their victims by feigning friendship or romantic interest, and sometimes even posing as the target’s real friends.

When the “contact” is established, the criminals at some point offer the victim to invest in cryptocurrency, for which the target is directed to a fake site. Alas, it will be impossible to return your funds and receive fake “income” from such a resource.

These scams can go on for months, and the victim sometimes gives the scammers huge sums (thousands to millions of dollars) before realizing they have been scammed. For example, last fall, Forbes reported on a 52-year-old man from San Francisco who lost about a million dollars due to “slaughtering pigs”. In this case, the scammers pretended to be an old colleague of the victim.

According to experts from Sophos, “Pig Butchering” has already penetrated the official app stores. Now scammers are targeting victims on Facebook or Tinder using fake profiles of women with photos stolen from other accounts. At the same time, fake profiles showcase a deliberately luxurious lifestyle with photos from high-end restaurants, expensive shops and exotic places.

scam Pig Butchering

After gaining the victim’s trust, the scammers reveal that they have an uncle who works for a financial analysis firm that is currently launching an app on the Play Store or App Store that allows you to trade cryptocurrencies. That is, in the end, the victim is persuaded not to go to a fake site, but to download a special application and “invest” in non-existent assets masquerading as real ones.

The malicious apps that the analysts found were called Ace Pro and MBM_BitScan in the Apple App Store and BitScan in the Google Play Store. All of them have now been removed.

scam Pig Butchering

After launching the application, the victim sees a very convincing interface for trading cryptocurrency, however, everything except the user’s deposit here is a fake.

scam Pig Butchering

It is noted that at first, in order to decline the vigilance of the target, scammers allow victims to withdraw small amounts in cryptocurrency from their accounts, but then, when there is already a lot of money, they block accounts and take everything.

To bypass App Store security checks, ShaZhuPan operators submit an app to the store that is signed with a valid certificate. Until approval is received, such an application connects to a regular server and pretends to be absolutely harmless. After passing the verification, the developers change the domain, and the application is already connecting to the malicious server.

scam Pig Butchering

According to experts, the BitScan apps for Android and iOS were allegedly provided by different vendors, but communicated with the same control server, which was hosted on a domain masquerading as bitFlyer (a real cryptocurrency exchange company from Japan).

Sophos reports that the Chinese group ShaZhuPan is behind one of these campaigns, divided into separate teams, each of which is engaged in one thing: interaction with victims, finance, franchise or money laundering.

The researchers conclude that since such applications are downloaded by a small number of users, manually selected by scammers, there are no massive complaints about them, which makes them difficult to detect and remove from stores. Sophos also notes that with the advent of fintech in our lives, people’s trust in such software tools has increased, and when applications are taken from the official Apple and Google stores, the victims have a false sense of legitimacy.

The media also wrote that Two Cryptocurrency Scammers from Estonia Made $575 Million from a “Ponzi scheme.

The post Cryptocurrency Scam “Pig Butchering” Penetrated the Apple App Store and Google Play Store appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/scam-pig-butchering/feed/ 0 13292
Apple ID Scams: Identify and Prevent Apple Phishing Email https://gridinsoft.com/blogs/apple-id-scams/ https://gridinsoft.com/blogs/apple-id-scams/#respond Wed, 23 Nov 2022 19:29:21 +0000 https://gridinsoft.com/blogs/?p=12189 Apple users are believed to be protected from all sorts of fraud and hacking. That’s because Apple designs its technologies with all required privacy and security requirements. But alas, fraudsters have come up with methods of penetration into users’ personal space and know how to make them give their data. This article will tell you… Continue reading Apple ID Scams: Identify and Prevent Apple Phishing Email

The post Apple ID Scams: Identify and Prevent Apple Phishing Email appeared first on Gridinsoft Blog.

]]>
Apple users are believed to be protected from all sorts of fraud and hacking. That’s because Apple designs its technologies with all required privacy and security requirements. But alas, fraudsters have come up with methods of penetration into users’ personal space and know how to make them give their data. This article will tell you the main facts about Apple ID scams and how to deal with it.

What is an Apple ID phishing scam?

Phishing is a method actors use to con people out of their data. This often includes passwords, social security numbers, and banking information. Phishers try to get this information so they can sell it for a hefty sum, or use it in more advanced scams. For example, imposters posing as Apple will ask for information in messages that appear legitimate. They lead you to a fake website that looks precisely like apple.com and then collect any data entered. Phishers use your Apple ID to access Apple services such as Apple Music, the App Store, and iCloud.

Apple services
Apple services that can be influenced by AppleID scam

Why do scammers target your Apple ID?

Once they have access, they can use the stolen information to impersonate a legitimate user on the services they abused. Anyone posing as a scammer can access your Apple ID credentials, which allows them to access your personal information like addresses and banking information. Giving someone access to this information through an iCloud breach is risky because they can inspect your files, documents, and photos in your history. Scammers rely on finding private information or media they can use to extort money from you. Another way for money extortion is blocking your devices through FindMy service. If you have several devices linked to the hacked account, it could be pretty painful.

Types of Apple ID phishing scams

Apple ID hackers constantly develop new ways to scam people and earn money. People easily fall prey to new scams as previous methods are revealed and debunked. This ongoing process makes keeping the public safe difficult. So, lets review the main types of Apple ID scams:

• Apple ID receipt email

Apple ID phishing email with an attached Apple ID receipt claims to be from Apple. The email says that someone bought something using the recipient’s Apple ID. To make the email trick more believable, additional information can be included in the body of the email, such as a zip file or a hyperlink to sign in to your Apple ID. Once opened, the fake receipt will capture your personal information and store it in perpetuity. When an Apple phishing email appears in your inbox, it suggests that you have been locked out of your account.

Fake Apple email
Example of fake Apple email

• Disabled Apple account notification

This is a common tactic of cybercriminals who use phishing scams. A decoy website link often comes attached to this email. If the scammer hopes you’ll follow the link and try to access your account, they can get your password by logging in themselves.

• Apple ID text scams

In order to trick people, scammers use many different forms of phishing. For example, they might send you a text message your Apple ID has been locked or warn you that a fake text message was just sent to your phone. Scammers use this technique to create panic and confusion in their victims. In addition, they use deceptive statements that confuse them, such as links to fake websites that ask you to input information or contact them by phone.

Apple ID locked
Notification Apple ID locked

• Apple ID phone call scams

Fake Caller ID allows con artists to disguise their name and logo as Apple’s real ones. This makes their scams seem even more accurate to the victim. Confident threat actors convince people easily through phone scams. This makes it harder for someone to notice they are being scammed. When receiving a call from a scammer, disconnect the call and dial Apple’s official support line. Once on the phone, inquire if they just called you.

• App store pop-up asking for your password

App Store pop-ups appear periodically when you interact with your phone, so entering your password when prompted feels natural. However, this can be dangerous if scammers manage to send you pop-ups directly. Moreover, they can just counterfeit a legit system push notification, so watch out and think if you really need to type the password at the moment.

Type password AppStore
App Store keeps asking for password

• Fake calendar invitation

When you receive an unexpected invitation or email, the best thing to do is take a moment to analyze the invitation. Calendar virus malware is a form of attack that infects Apple devices, specifically iPhones and iPads. This malicious software allows hackers to add fake subscribed calendar accounts to a victim’s device without their authorization. This allows them to create notifications for “events” that include malicious links. Common terms for this type of malware include "iCalendar spam" and "iPhone calendar spam."

• iPhone locked

Scammers will often try to register your phone as lost, enable the Find My iPhone setting, and threaten to lock you out of your phone unless you pay them to relinquish control of your device.

RELATED CONTENT
The McAfee fake email scam is one of the other equally popular types of phishing scams. The McAfee scam email mimics a typical notification from a provider about account details or user licenses.

How to identify an Apple ID scam?

To understand where the problem comes from, you need to pay attention to some things that appear on your PC. Here is a list of some of them:

  1. Unusual email senders– Apple’s team will come up with a more professional email address. Even similarly looking appleid@apple.id.com is not an option. However, crooks rarely strain so hard, and often use some generic emails.
  2. Typos"Hello friend, we come with bad news" either Apple has lowered the bar on copywriting significantly, or you’ve caught a liar. Pay close attention to spelling mistakes, grammatical errors, or incorrect spaces to identify potential scam messages.
  3. URL shorteners– If the links you receive do not lead you directly to the official site of apple.com, then do not trust the source that sends you these links. Moreover, do not follow this link.
  4. Urgency – fraudsters often like to escalate the situation. They often call users for urgent action. If you notice something suspicious in the message, such as the sender trying to make you respond quickly, do not respond to this.
  5. Verify requests– Apple employees will never ask for your personal information. If someone asks you personal questions about your social security number or credit card, don’t join the conversation.
  6. Generic greetings– Apple saves your name and uses it to refer to you when contacting you. If you are called sir/madam/friend in a message, the message is most likely a scam.
OTHER COMMON SCAMS
Phishing scams are on the rise these days, Netflix customers are being warned to beware of phishing emails purporting to be sent by Netflix

Top tips on how to identify and prevent an Apple ID scam

The best thing you can do to protect yourself is to follow ways to prevent fraud. If you are facing messages you cannot identify as legitimate, then it is best not to respond. In the end, follow the following tips to help reduce the risk of becoming a victim of Scammers.

  • Always check the URL
  • Don’t use the same password for multiple websites update password regularly
  • Install antivirus software on your device
  • Keep your web browser up to date
  • Make sure you have the latest version of the operating system
  • Never share your Apple ID password with anyone

The post Apple ID Scams: Identify and Prevent Apple Phishing Email appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/apple-id-scams/feed/ 0 12189
iOS VPN Bug Prevents Encryption of Traffic for Years, Researchers Say https://gridinsoft.com/blogs/ios-vpn-bug/ https://gridinsoft.com/blogs/ios-vpn-bug/#respond Thu, 25 Aug 2022 11:54:28 +0000 https://gridinsoft.com/blogs/?p=10151 A few years ago, engineers at Proton Technologies, the company behind ProtonMail and ProtonVPN, talked about a bug in iOS 13.3.1 that prevents VPN apps from encryption of all traffic. As information security experts now report, the problem has not yet been fixed. Let me remind you that we also wrote that Vulnerability in WebKit… Continue reading iOS VPN Bug Prevents Encryption of Traffic for Years, Researchers Say

The post iOS VPN Bug Prevents Encryption of Traffic for Years, Researchers Say appeared first on Gridinsoft Blog.

]]>
A few years ago, engineers at Proton Technologies, the company behind ProtonMail and ProtonVPN, talked about a bug in iOS 13.3.1 that prevents VPN apps from encryption of all traffic. As information security experts now report, the problem has not yet been fixed.

Let me remind you that we also wrote that Vulnerability in WebKit engine could redirect iOS and macOS users to scam sites, and also that For iOS was discovered a new exploit, with the help of which China traced the Uyghurs.

In 2020, Proton Technologies experts explained that when using a VPN, the operating system must close all existing Internet connections and restore them through a VPN tunnel to protect the user’s privacy and data. However, iOS for some reason can’t keep up with closing existing connections, leaving the traffic insecure as a result. For example, new Internet connections will connect through the VPN tunnel, but connections that were already active when the user connected to the VPN server will remain outside the tunnel.

Although insecure connections are becoming less common, the main problem is that the user’s IP address and the IP address of the server to which it connects remain open, and the server “sees” the user’s real IP address instead of the VPN server’s IP address.

As The Register now writes, Proton Technologies researchers continued to wait for the release of the patch for a very long time. From time to time, specialists have updated their report and say that there is still no fix, although Apple is aware of the problem. So, until recently, the last update in the text was dated October 19, 2020, and it reported that the vulnerability had not been finally fixed in iOS 13.4, 13.5, 13.6, 13.7 and 14.

Earlier this year, cybersecurity researcher and developer Michael Horowitz re-examined this situation and found that VPNs in iOS still do not work correctly and provoke data leaks.

VPNs don’t work on iOS. At first, they seem to work fine. The iOS device gets a new public IP address and new DNS servers. The data is transmitted to the VPN server. But over time, a detailed check of the data leaving the device shows that the VPN tunnel is leaking. The data does not leave the iOS device through the VPN tunnel. This is not a normal DNS leak, but this is a data leak.Horowitz wrote in early August, in a post titled 'VPN on iOS is a scam'.

Horowitz writes that back in May 2022, he sent an email to Apple announcing this leak. In July, he said that he exchanged several letters with the company, but this did not give any result:

To date, about five weeks later, Apple has said virtually nothing to me. They didn’t say if they tried to recreate the problem. They didn’t say if they agreed it was a vulnerability. They didn’t say anything about a fix.

In addition, at the end of last week, on August 18, 2022, Proton Technologies experts updated their old report again. They argue that the kill switch feature that Apple introduced to developers with the release of iOS 14 does block additional network traffic, but “some DNS queries from Apple services can still be sent outside of a VPN connection.”

This is similar to the situation we reported two years ago. Most connections are short-lived and will eventually self-repair through the VPN tunnel. However, some operate for a long time and may remain open for minutes to hours outside the tunnel.

We have repeatedly discussed this issue with Apple. Unfortunately, fixing the problem is very problematic. Apple stated that this behavior is “to be expected” and “Always On VPN is only available on MDM controlled devices.” We urge Apple to make a completely secure web experience available to everyone, not just those connected to a proprietary remote device management framework designed for enterprises.says Proton Technologies.

The post iOS VPN Bug Prevents Encryption of Traffic for Years, Researchers Say appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/ios-vpn-bug/feed/ 0 10151
Microsoft Releases PoC Exploit to Escape MacOS Sandbox https://gridinsoft.com/blogs/poc-exploit-for-macos/ https://gridinsoft.com/blogs/poc-exploit-for-macos/#respond Mon, 18 Jul 2022 10:03:11 +0000 https://gridinsoft.com/blogs/?p=9457 Microsoft has detailed a recently patched vulnerability affecting Apple operating systems and published a PoC exploit to escape the macOS sandbox. If successfully exploited, this bug allows to leavei the sandbox, elevate privileges on the device and deploy malware. Let me remind you that they also wrote that Vulnerability in macOS Leads to Data Leakage,… Continue reading Microsoft Releases PoC Exploit to Escape MacOS Sandbox

The post Microsoft Releases PoC Exploit to Escape MacOS Sandbox appeared first on Gridinsoft Blog.

]]>
Microsoft has detailed a recently patched vulnerability affecting Apple operating systems and published a PoC exploit to escape the macOS sandbox. If successfully exploited, this bug allows to leavei the sandbox, elevate privileges on the device and deploy malware.

Let me remind you that they also wrote that Vulnerability in macOS Leads to Data Leakage, and also that Apple paid $100,000 for macOS camera and microphone hack.

Now we are talking about the vulnerability CVE-2022-26706 (5.5 points on the CVSS scale), which affects iOS, iPadOS, macOS, tvOS and watchOS. The researchers say the issue is access-related and affects the LaunchServices (launchd) component, which “allows a sandboxed process to bypass sandbox restrictions.” The problem has already been fixed by Apple engineers in May of this year.

This bug was discovered while investigating how to launch and detect malicious macros in Microsoft Office documents on macOS. If the abuse of macros to deploy malware has long been the “norm” for Windows hacking, things are different with macOS.

For backward compatibility, Microsoft Word can read and write files with the “~$” prefix. After reviewing earlier reports (1, 2) on sandboxing on macOS, the researchers found that using Launch Services to run the open –stdin command on a special Python file with the aforementioned prefix allows you to exit the application sandbox, potentially leading to system-wide compromise.

PoC exploit for macOS

The researchers ended up developing a PoC exploit that used the -stdin option along with the open command on a Python file to bypass com.apple.quarantine restrictions. The exploit code from Microsoft is extremely simple: dropping a Python file that contains arbitrary commands, and its name contains a special prefix for Word.

Python successfully runs our code, and since it is linked with the launchd process, it is not bound by the rules of the Word sandbox.the experts explain.

Ultimately, the researchers managed to simplify the exploit code above so much that it could fit in one tweet.

PoC exploit for macOS

The post Microsoft Releases PoC Exploit to Escape MacOS Sandbox appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/poc-exploit-for-macos/feed/ 0 9457
Privacy Access Tokens to Replace CAPTCHA Real Soon https://gridinsoft.com/blogs/privacy-access-tokens-to-replace-captcha-real-soon/ https://gridinsoft.com/blogs/privacy-access-tokens-to-replace-captcha-real-soon/#respond Mon, 27 Jun 2022 09:27:34 +0000 https://gridinsoft.com/blogs/?p=8851 CAPTCHA, a well-known test for website visitors to prove they are humans, not robots, rapidly grows obsolete. There are ways to break or bypass CAPTCHA, and there are obvious inconveniences these tests bring to clients when deployed on websites. Luckily, the progress won’t cease, and the replacement is coming. We’re talking about Privacy Pass –… Continue reading Privacy Access Tokens to Replace CAPTCHA Real Soon

The post Privacy Access Tokens to Replace CAPTCHA Real Soon appeared first on Gridinsoft Blog.

]]>
CAPTCHA, a well-known test for website visitors to prove they are humans, not robots, rapidly grows obsolete. There are ways to break or bypass CAPTCHA, and there are obvious inconveniences these tests bring to clients when deployed on websites. Luckily, the progress won’t cease, and the replacement is coming. We’re talking about Privacy Pass – a browser extension that does the job of filtering bots on the client’s side and automatically.

Prove to Machines That You Are Not a Machine Via Cryptographic Token

Privacy Pass is a browser extension initially designed for Chrome and Firefox, with its first version released back in 2018. This plugin verifies that you are not a bot automatically and awards you with a cryptographic token (Privacy Access Token – PAT) that serves as a pass on CAPTCHA-protected websites. The extension analyzes your behavior while you browse, so there is no need to stop to solve CAPTCHA puzzles. It turns out that there are plenty of ways to figure out that there is a human being behind the browser by analyzing what and how the client does.

Cloudflare CAPTCHA pages accept PATs, and it seems reasonable to believe that manual CAPTCHA will be driven out from use very soon. What is even more promising is that Apple gives Privacy Pass a huge recognition boost by including it in the upcoming operating systems, iOS 16 and macOS Ventura.

Standard CAPTCHAs for manual solving will probably linger for some time, though, to welcome users who either haven’t yet earned an access token during their browsing session or clients whose behavior seems suspicious.

What’s wrong with CAPTCHA?

CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is fine; it’s just old. Its purpose is to make automatized attacks such as DDoS (and other bot-activity on websites) impossible. But it turns out that there are ways to provide smooth and seamless verification of users being humans without forcing them to solve puzzles. Checkpoints, where you have to stop and perform actions, are real trouble for marketing – users just hate them.

A click farm interior
Click farm. Image: Diggit Magazine.

Moreover, back in 2013, a CAPTCHA-beating neural network showed up. It solved test jigsaws with 99.8% accuracy, which is a better-than-human result. After nine years, machine learning algorithms only improved.

Another phenomenon is connected to CAPTCHA bypassing. There are entire click farms – offices where specially trained people do nothing else but solve CAPTCHA puzzles to let bots enter protected websites. The bots deliver the tasks they face on websites to human clickers and then receive them back solved via a special API.

So, CAPTCHA is getting closer and closer to obsolete. It is beatable and annoying. Why not replace it with something high-end like Privacy Pass?

The post Privacy Access Tokens to Replace CAPTCHA Real Soon appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/privacy-access-tokens-to-replace-captcha-real-soon/feed/ 0 8851
Apple paid $100,000 for macOS camera and microphone hack https://gridinsoft.com/blogs/apple-paid-for-macos-camera-and-microphone-hack/ https://gridinsoft.com/blogs/apple-paid-for-macos-camera-and-microphone-hack/#respond Mon, 31 Jan 2022 23:17:07 +0000 https://gridinsoft.com/blogs/?p=7012 Information security researcher Ryan Pickren told how he received a large reward from Apple for hacking the camera and microphone in macOS. He also discovered vulnerabilities in Safari and macOS that could be used to hack into a user’s online accounts. Back in 2020, Ryan Pickren received a $75,000 bug bounty from Apple because he… Continue reading Apple paid $100,000 for macOS camera and microphone hack

The post Apple paid $100,000 for macOS camera and microphone hack appeared first on Gridinsoft Blog.

]]>
Information security researcher Ryan Pickren told how he received a large reward from Apple for hacking the camera and microphone in macOS. He also discovered vulnerabilities in Safari and macOS that could be used to hack into a user’s online accounts.

Back in 2020, Ryan Pickren received a $75,000 bug bounty from Apple because he found several vulnerabilities in Safari at once that could be used to access someone else’s camera and microphone (on devices running iOS and macOS). To exploit those bugs, it was necessary to trick the user into visiting a malicious site.

After receiving the award, the expert continued his research in this area and last year identified another chain of exploits related to iCloud Sharing and Safari 15, the use of which could have even more nasty consequences. As Pickren now reveals on his blog, the new attack combines four vulnerabilities, two of which have been given CVE IDs: CVE-2021-30861 and CVE-2021-30975. Two more bugs were recognized as “design” flaws, and not full-fledged vulnerabilities.

To exploit the new chain of bugs, it was necessary to lure the victim to a malicious site and force them to click on the “Open” button there. If the exploit was successful, the attacker gained access not only to the victim’s webcam and microphone, but also to all accounts on all sites that the victim had ever visited using Safari (including, for example, Gmail, iCloud, Facebook and PayPal).

macOS camera and microphone

The exploit chain included a UXSS vulnerability in Safari, abuse of iCloud’s default sharing feature (ShareBear), and bypassing Gatekeeper.

Essentially, through ShareBear, the victim allows an attacker to inject a file into his system, which can be later executed without user interaction. And even if the original file was not malicious, then the attacker can change its content and extension.Ryan Pickren says.

The fact is that when ShareBear is used to share files, the user needs to click on the “Open” button only once. Such a file can then be run remotely at any time without re-permissions.

The researcher writes that the problems were found in the summer of 2021, but Apple managed to finally eliminate them only recently, in January 2022. As a result, Pikren “earned” $100,500 from these bugs, receiving a large reward as part of the bug bounty program.

Let me remind you that recently MI also wrote that Zerodium offers up to $400,000 for exploits for Microsoft Outlook.

The post Apple paid $100,000 for macOS camera and microphone hack appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/apple-paid-for-macos-camera-and-microphone-hack/feed/ 0 7012
Vulnerability in macOS Leads to Data Leakage https://gridinsoft.com/blogs/vulnerability-in-macos-leads-to-data-leakage/ https://gridinsoft.com/blogs/vulnerability-in-macos-leads-to-data-leakage/#respond Tue, 11 Jan 2022 22:08:46 +0000 https://gridinsoft.com/blogs/?p=6871 Microsoft said that attackers could use a macOS vulnerability to bypass Transparency, Consent, and Control (TCC) technology and gain access to protected user data. Back in the summer of 2021, a research group informed Apple developers about a vulnerability dubbed powerdir (CVE-2021-30970). The bug is related to the TCC technology, which is designed to block… Continue reading Vulnerability in macOS Leads to Data Leakage

The post Vulnerability in macOS Leads to Data Leakage appeared first on Gridinsoft Blog.

]]>
Microsoft said that attackers could use a macOS vulnerability to bypass Transparency, Consent, and Control (TCC) technology and gain access to protected user data.

Back in the summer of 2021, a research group informed Apple developers about a vulnerability dubbed powerdir (CVE-2021-30970). The bug is related to the TCC technology, which is designed to block applications from accessing sensitive user data. This allows macOS users to customize privacy settings for apps and devices connected to their Macs, including cameras and microphones.

While Apple has restricted access to TCC (only for apps with full disk access) and configured features to automatically block unauthorized code execution, Microsoft researchers have found that attackers could inject a second custom-built TCC database into the system, allowing them to gain access to a secure information.

The point is that TCC supports two types of databases – one for permissions that apply to a specific user profile, and the other for permissions that apply globally, system-wide, protected by System Integrity Protection (SIP), and are only available for applications with full disk access.

We found that it was possible to programmatically change the target user’s home directory and inject a fake TCC database that stores the history of consent for application requests. If this vulnerability is exploited, an attacker, in theory, can launch an attack based on the user’s protected personal data. For example, an attacker can hack an application installed on a device (or install his own malicious application), gaining access to a microphone to record private conversations or take screenshots of sensitive information displayed on the screen.say the experts.

In fact, a user with full disk access can find the TCC.db file, which is a SQLITE database, view it, and even edit it. Thus, an attacker with full access to the TCC databases can grant arbitrary permissions to his malicious applications, which the user will not even know about.

Apple fixed this issue in December 2021 with the release of macOS 11.6 and 12.1.

CVE-2021-30970 is the third TCC bypass issue. Earlier in 2021, Apple fixed bugs CVE-2020-9934 and CVE-2020-27937, as well as the zero-day vulnerability CVE-2021-30713, which also allowed an attacker to gain full access to the disk, record data from the screen, and perform other actions without explicit user consent.

Let me remind you that we wrote that Vulnerability in WebKit engine could redirect iOS and macOS users to scam sites, and also that Spy method NoReboot allows simulating iPhone shutdown and prying through the camera.

The post Vulnerability in macOS Leads to Data Leakage appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/vulnerability-in-macos-leads-to-data-leakage/feed/ 0 6871
Spy method NoReboot allows simulating iPhone shutdown and prying through the camera https://gridinsoft.com/blogs/spy-method-noreboot-allows-simulating-iphone-shutdown/ https://gridinsoft.com/blogs/spy-method-noreboot-allows-simulating-iphone-shutdown/#respond Mon, 10 Jan 2022 19:03:35 +0000 https://gridinsoft.com/blogs/?p=6867 The NoReboot spy method allows intercepting the iPhone restart and shutdown process and prevent them from ever happening. ZecOps has developed a new method to simulate restarting or shutting down the iPhone and thereby prevent the removal of malware from it, with which hackers can secretly track the victim through the microphone and phone camera.… Continue reading Spy method NoReboot allows simulating iPhone shutdown and prying through the camera

The post Spy method NoReboot allows simulating iPhone shutdown and prying through the camera appeared first on Gridinsoft Blog.

]]>
The NoReboot spy method allows intercepting the iPhone restart and shutdown process and prevent them from ever happening.

ZecOps has developed a new method to simulate restarting or shutting down the iPhone and thereby prevent the removal of malware from it, with which hackers can secretly track the victim through the microphone and phone camera.

As a rule, in order to remove malware from an iOS device, simply restart it. The method developed by ZecOps specialists allows to intercept the process of reboots and shutdowns and make it so that they never happen. This way the malware gains persistence on the system as it never actually shuts down.

Since no vulnerabilities need to be exploited to carry out the NoReboot attack, Apple is unable to release a hotfix.ZecOps experts say.

To restart iPhone, user needs to press and hold the power button or volume control until a slider appears with the option to restart. Then he should wait 30 seconds for the process to complete.

When the iPhone is turned off, the screen goes blank, the camera turns off, the long press does not respond, the ringtone and notification sounds fade and there is no vibration. ZecOps has developed a PoC Trojan capable of injecting special code into three iOS daemons to simulate shutdown by disabling all of these indicators.

Spy NoReboot Method

The Trojan interrupts the shutdown event by intercepting the signal from the SpringBoard application that is responsible for interacting with the user interface. Instead of the expected signal, the Trojan sends a code that forcibly terminates SpingBoard, causing the device to stop responding to user actions. It looks like the iPhone is turned off.

The BackBoardd daemon, which logs physical button presses and timestamped screen touches, is then instructed to display a spinning wheel to indicate that the device is turned off. The user thinks that the iPhone has turned off, releases the button ahead of time, and the actual shutdown process never starts.

The video below shows the NoReboot attack in action. Judging by the video, with its help you can very easily convince the victim that her phone is turned off.

You might also be interested to know that Cybersecurity expert created an exploit to hack iPhone via Wi-Fi, and that Vulnerabilities allowed access to cameras on Mac, iPhone and iPad.

The post Spy method NoReboot allows simulating iPhone shutdown and prying through the camera appeared first on Gridinsoft Blog.

]]>
https://gridinsoft.com/blogs/spy-method-noreboot-allows-simulating-iphone-shutdown/feed/ 0 6867