Information Technology

A security researcher has publicly disclosed a bug present in iOS 15.2 (and going back to iOS 14.7 and possibly earlier) relating to HomeKit that could be used to permanently crash an iPhone.Trevor Spiniolas found that by changing the name of a HomeKit device to a large string (Spiniolas used 500,000 characters for the testing), this would crash the associated iPhone. To make matters worse, because the device name would be backed up to the user’s iCloud account, restoring an iPhone and signing back into the iCloud account linked to the HomeKit device would once again trigger the bug.

According to Spiniolas, “[t]his bug poses a significant risk to the data of iOS users, but the public can protect themselves from the worst of its effects by disabling Home devices in control center in order to protect local data.”Spiniolas decided to make this bug public after initially reporting the bug to Apple on August 10, and Apple promising a fix “before 2022.” December 10, Apple then informed Spiniolas that the fix would come “early 2022,” which is when he decided to make the bug public on January 1, 2022.”The public should be aware of this vulnerability and how to prevent it from being exploited,” writes Spiniolas, “rather than being kept in the dark.”Think you might be affected by this bug? Spiniolas has outlined the process to get the iPhone working again.Restore the affected device from Recovery or DFU ModeSet up the device as normal, but do NOT sign back into the iCloud accountAfter setup is finished, sign into iCloud from settings. Immediately after doing so, disable the switch labeled “Home.” The device and iCloud should now function again without access to Home data. More

Researchers have warned that the Purple Fox rootkit is now being distributed through malicious, fake Telegram installers online. 

ZDNet Recommends

This week, the Minerva Labs cybersecurity team, working with MalwareHunterTeam, said that Purple Fox is being disguised through a file named “Telegram Desktop.exe.” Those that believe they are installing the popular messaging service are, instead, becoming laden with the malware — and the infection process has made it more difficult to detect. First discovered in 2018, Purple Fox has been spread through a variety of means, including phishing emails, malicious links, and exploit kits. However, in the past few years, distribution methods have expanded to include compromising vulnerable internet-facing services, exposed SMB services, and fake installers.  The malicious Telegram installer has been developed as a compiled AutoIt script. Upon execution, a legitimate Telegram installer is dropped – but never used – together with a malicious downloader called TextInputh.exe.  The attack is then separated into several small files, a technique that Minerva says allowed the threat actor to stay under the radar – and most of the files “had very low detection rates by AV engines, with the final stage leading to Purple Fox rootkit infection.” TextInputh.exe creates a new folder and connects to the malware’s command-and-control (C2) server. Two new files are then downloaded and executed, which unpack .RAR archives and a file used to load a malicious reflectively.DLL. A registry key is created to enable persistence on an infected machine, and five further files are dropped into the ProgramData folder to perform functions, including shutting down a wide range of antivirus processes before Purple Fox is finally deployed.

The Purple Fox Trojan comes in both 32-bit and 64-bit Windows variants. In March last year, Guardicore Labs found new worm capabilities had been integrated into the malware, and thousands of vulnerable servers had been hijacked to host Purple Fox payloads.  By October, Trend Micro uncovered a new .net backdoor, dubbed FoxSocket, which is believed to be a new addition to the malware’s existing capabilities.  Given that the malware now contains a rootkit, worm functionality, and has been upgraded with a more robust backdoor, the inclusion of a stealthier infection process means that cybersecurity researchers will likely be keeping a close eye on this malware’s future development.  “The beauty of this attack is that every stage is separated to a different file which are useless without the entire file set,” the team noted. “This helps the attacker protect his files from AV detection.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

Morgan Stanley has agreed to a settlement figure of $60 million to resolve a data breach lawsuit. 

The US bank and financial services giant was subject to a class-action suit following two data exposure incidents involving approximately 15 million current and former clients. According to the motion (.PDF), legacy equipment was decommissioned in 2016 and 2019 that contained the personally identifiable information (PII) of clients. However, the equipment was not wiped clean of this sensitive information prior to sale and the datasets may have then been exposed, in an unencrypted fashion, and available to view by the purchasing parties.  Court documents suggest the retired equipment included old servers and other data center technology.  In 2017, Morgan Stanley was contacted by one of these vendors who told the company that they had access to client data.  “In 2020, after an investigation, the Office of Comptroller of Currency (OCC) directed Morgan Stanley to provide notice of the Data Security Incidents to its potentially affected current and former clients,” the motion reads. “Morgan Stanley began distributing notice letters in July 2020. The action by the OCC resulted in a consent order stating that Morgan Stanley “failed to effectively assess or address the risks associated with the decommissioning of its hardware.” Following notification, a class-action lawsuit was launched in 2020. Separately, a $60 million fine was issued by the OCC for data protection failures. 

Morgan Stanley has denied claims of liability. However, if the settlement amount is approved by a Manhatten federal court judge, $60 million will be awarded to those potentially impacted through a settlement fund.  Claimants will be entitled to at least 24 months of fraud insurance services and each class member can claim up to $10,000 for out-of-pocket expenses and $100 in ‘lost time,’ (four hours at $25 per hour) although further lost hours will be considered if acceptable evidence is provided. The bank has also agreed to hire a third party to try and locate outstanding equipment for 12 months, some of which has been recovered. Morgan Stanley told Bloomberg in a statement, “We have previously notified all potentially impacted clients regarding these matters, which occurred several years ago, and are pleased to be resolving this related litigation.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

The Malsmoke hacking group is now abusing a vulnerability in Microsoft’s e-signature verification tool to deploy malware and steal user data.

On Wednesday, Check Point Research (CPR) said that as of now, over 2,100 victims have been detected worldwide in a new campaign, with the majority resident in the United States, Canada, and India – although evidence of the malware has been found in 111 countries.  Dubbed ZLoader, the malicious code has been used in the past to deliver banking Trojans and has been closely connected to multiple ransomware strains.  The new campaign is thought to have started in November 2021. During its initial attack stages, the malware’s operators have decided to use Atera, legitimate remote management software, as the springboard to infect a system. While it is not known how the malicious package containing Atera is currently being distributed, upon installation, Atera will also show a fake Java installer. This file, however, is busy installing an agent that connects the endpoint PC to an attacker’s account, allowing them to remotely deploy malicious payloads.  Two .bat files are then uploaded to the victim’s machine: the first is responsible for tampering with Windows Defender, and the second is used to load ZLoader. During this stage, Windows Defender exclusions are added to stop the cybersecurity tool from launching alerts, existing software that may detect the manipulation of the task manager and cmd.exe is disabled, and further scripts used to disable “Admin Approval Mode” are executed.  In addition, a script is added to the startup folder for persistence and a PC reboot is forced to apply the system changes. 

Of note is a signed, malicious .DLL file used to infect a machine with ZLoader, according to the team. CPR said the file was modified and additional code was included by utilizing a known issue in the signature validation of crafted PE files, mentioned in CVE-2020-1599, CVE-2013-3900, and CVE-2012-0151.  While a fix was issued years ago, false positives against legitimate installers resulted in the patch being made opt-in.”Microsoft addressed the issue in 2013 with a Security Bulletin and pushed a fix,” the researchers say. “However, they stated after implementing it that they “determined that impact to existing software could be high.” Therefore, in July 2014, they pulled the stricter file verification and changed it to an opt-in update. In other words, this fix is disabled by default, which is what enables the malware author to modify the signed file.”The final ZLoader payload is then deployed. This malware, a banking Trojan in its own right, is able to steal user credentials, cookies, and sensitive information – including financial account login data – as well as act as a backdoor and loader for other malicious code.  In September, Microsoft warned that ZLoader is being spread through Google keyword advertisements to infect vulnerable PCs with Conti ransomware.  CPR believes that MalSmoke is behind the latest campaign due to coding similarities, the use of Java plugins as fake installers, and due to connections between registrar records for domains previously used by the group to spread Raccoon Stealer malware. According to the researchers, the authentication gap being exploited is a problematic area as Microsoft’s stricter signature options are not enabled by default – and while the cybersecurity firm recommends that users apply Microsoft’s update for Authenticode verification, this may also occasionally flag up legitimate installers as having an invalid signature.  “All in all, it seems like the ZLoader campaign authors put great effort into defense evasion and are still updating their methods on a weekly basis,” commented Kobi Eisenkraft, Malware Researcher at Check Point. “I strongly urge users to apply Microsoft’s update for strict Authenticode verification. It is not applied by default.” Microsoft and Atera have been made aware of the researchers’ findings. “We released a security update (CVE-2013-3900) in 2013 to help keep customers protected from exploitation of this vulnerability,” a Microsoft spokesperson told ZDNet. “Customers who apply the update and enable the configuration indicated in the security advisory will be protected. Exploitation of this vulnerability requires the compromise of a user’s machine or convincing a victim to run a specially crafted, signed PE file.” Previous and related coverage Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0 More

China has released draft laws that will require, amongst others, mobile apps to be licensed if they provide news and go through a security assessment if they can influence public opinion. They also must adhere to cybersecurity guidelines and not endanger national security. The Cyberspace Administration of China (CAC) on Wednesday unveiled proposed legislation to further regulate services provided via mobile apps and ensure these operated alongside the country’s other laws, including the Personal Information Protection Law (PIPL) and Data Security Law.Under the draft laws, operators that provided news services through mobile apps would have to obtain the licence to do so. They also must deliver such services within the scope of the licence and as permitted under the licence. The CAC, however, did not elaborate on what exactly the licence would cover. 

Operators of apps that provided news, instant messaging, and other related services must require their users to register based on their mobile number and identification card number. Users who refused to do so or who used fraudulent identification data should not be permitted to use the app. App operators were expected to put in place the necessary mechanisms and tools to manage user registration and accounts as well as review information and monitor usage. Registered users who breached service agreements and laws must be issued warnings and access restricted or blocked, where necessary. In addition, mobile app operators that introduced technologies and functions that could potentially influence public opinion or mobilise the population, must carry out security assessments according to specifications laid out by CAC. The government agency, though, did not provide details on what these might entail. Operators also should not use their apps to facilitate activities that were illegal and that endangered national security or disrupted social cohesion. 

They must further comply with requirements stipulated in the country’s cybersecurity law. Should they uncover security flaws or other risks in their mobile app, they must take immediate steps to plug the security holes and notify users in a timely fashion. The relevant authorities also should be notified of the security flaw. If passed, the draft legal framework would apply to various media including text, picture, voice, and video, and information platforms delivered via the mobile app, including instant messaging, FAQs, and community forums. CAC said public feedback on the proposed law would close on January 20. It added that the regulation was slated to be passed later this year. The draft laws are the latest in China’s efforts to stem what the government perceives as problems within the digital economy, such as poor management of personal data.CAC last May called out 33 mobile apps for collecting more user data than it deemed necessary to offer their service. CAC said these companies, which included Baidu and Tencent Holdings, had breached local regulations and gathered personal information without consent from their users. RELATED COVERAGE More

Image: Cameron Spencer/Getty Images
During Australia’s federal Budget Estimates last year, Services Australia was grilled by senators about various initiatives under its remit, from the COVID-19 digital certificate rollout to the bungled robo-debt scheme. Of concern to Labor Senators Tim Ayres and Nita Green was the alleged lack of security of Australia’s COVID-19 digital certificates, with both of them criticising the certificate for being easily forged through man-in-the-middle cyber attacks. Providing responses to the senators’ concerns, Services Australia said it was aware of reports concerning man-in-the-middle cyber attacks via the Medicare Express Plus app, but brushed off the concerns by merely saying such attacks “require significant knowledge and expertise”. It added that there are currently no vulnerability disclosure programs in place nor any future plans to implement such a program for the digital vaccination certificates. This is despite security researcher Richard Nelson last year detailing the difficulty for the private sector and the public in reporting vulnerabilities about the certificates to government, which was referenced by Ayres during Budget Estimates. Services Australia also said the Digital Transformation Agency (DTA) had no plans to consider establishing bounty programs. “Services Australia takes the integrity of the Medicare system and the Australian Immunisation Register extremely seriously,” Services Australia said in its response to questions on notice. “Full cyber assessments are undertaken several times a year and we work closely with the Australian Signals Directorate and Australian Cyber Security Centre on potential vulnerabilities on mobile applications.”

As of the end of October, over 12.3 million Australians have downloaded COVID-19 digital certificates, the agency said in another response. For Australia’s other federal COVID-19 product, COVIDSafe, the DTA provided an update that monthly costs to run the app have been around what it expected of around AU$60,000 a month since it took over responsibility for the app. As of early October, there are 7.7 million COVIDSafe registrations, DTA added.The DTA had also been asked by Labor Senator Marielle Smith during Budget Estimates on how many people had downloaded the app and then deleted it, but the agency said it does not track that data. In regards to questions about Service Australia’s progress in refunding wrongly issued robo-debts, the agency provided more information about the people who are still yet to receive a refund. The agency said there are now around 8,500 people who are yet to receive a refund. Of these, 501 are deceased estates, 280 are incarcerated, 539 are indigenous, and 106 had a vulnerability indicator on their customer record at the time they were last in receipt of payment. Services Australia explained that these refunds had not been processed yet as the victims have not provided bank details to the agency in order to receive the payment. A Senate Committee inquiring into the robo-debt system is still awaiting for Services Australia and Minister for Government Services, Linda Reynolds, to provide documents about the legal advice Services Australia received in implementing robo-debt. Both have refused to provide that information under claims of public interest immunity. Related Coverage More

Image: Kevin Frayer/Getty Images
China on Tuesday evening confirmed it will increase oversight on how local tech companies operate their platforms both locally and overseas through two new sets of rules. The first set of rules, set to be enforced on February 15, is focused on cybersecurity reviews and will require local tech companies with personal information on over 1 million users to undergo a security review before being allowed to list onto overseas stock exchanges. Announced by the Cyberspace Administration of China (CAC), the rules did not specify whether cybersecurity reviews would be required for companies that list in Hong Kong.As part of a cybersecurity review process, the Chinese government can urge tech companies to make organisational changes to fulfil their commitments to the cybersecurity review.The CAC said the new listing requirement was established to address the risk of key infrastructure, data, and personal information being used maliciously by foreign actors. The new listing requirement adds another layer of uncertainty for Chinese companies looking to expand overseas, as Chinese companies like China Telecom have already received the stock exchange boot from the US. The US Securities and Exchange Commission last month also gained powers to ban foreign companies listed in the US from trading if their auditors do not comply with requests for information from American regulators.Looking at the rest of the cybersecurity review measures, the CAC said any companies that carry out data processing activities that affect or may affect national security will also be required to undergo a cybersecurity review, although the Cyberspace Administration of China did not provide definitions on what activities would meet that threshold.

The second set of rules announced by the CAC, set to come into effect in March, target the use of algorithm recommendations by tech companies and require them to establish algorithm mechanism reviews, user registration reviews, and programs protecting minors. All online platforms will also be required to provide users with the option to turn off or modify how they access algorithm recommendation services, as well as provide users with information on how their personal data is used in the provision of such services.Both sets of rules follow a big year of tech crackdowns in China, when new laws came into force around data protection, online gaming for minors, gig economy rights. Along with new legislation, the Chinese government also slapped big penalties against tech giants, such as removing Didi from app stores and fining Alibaba 18.2 billion yuan. Just prior to the new year, China’s internet security regulator also suspended all of its contracts with Alibaba Cloud after one of its security engineers discovered the Log4J vulnerability and reported it to Apache. The Ministry of Industry and Information Technology suspended its contracts with Alibaba Cloud as it “did not effectively support the Ministry of Industry and Information Technology to carry out cyber security threats and vulnerability management”, according to local media outlets.RELATED COVERAGE More

Image: perinjo/ GETTY
The United States Federal Trade Commission has issued a warning that it will chase companies that do not remedy the vulnerability in the Java logging package Log4j.”The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future,” the agency said on Tuesday.”Failure to identify and patch instances of this software may violate the FTC Act.”The agency cited its $700 million settlement with Equifax in 2019 as an example of what could happen if customer data is exposed.”The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies,” the FTC said. ”These projects are often created and maintained by volunteers, who don’t always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.”This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security.”

Earlier on Tuesday, Microsoft said people might not be aware of how widespread the Log4Shell issue is in their environments, and warned that attempts to exploit it remained high to the end of 2021.”At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” the software giant said. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”Cloudflare warned last month it had detected activity related to the remote code exploit as early as December 1, which meant the vulnerability was in the wild for at least nine days before it was publicly disclosed.

more Log4j More