Apple is planning to introduce a new feature called Lockdown Mode in iOS, iPadOS, and macOS to boost defenses and interrupt methods used to compromise devices for highly targeted attacks.
The goal is to close down technical avenues for digital espionage amidst a proliferation of mercenary spyware designed to covertly punch through a device’s security protections and harvest user data.
The setting aims to achieve a trade-off between security and usability, which, when activated, limits what the phone can do, cordoning off parts of the iPhone and other devices from potential attack vectors, including malicious link previews unsolicited FaceTime calls, that have been exploited in the past to gain a foothold.
Turning it on will immediately switch off a number of features in Messages, FaceTime, and Safari — which have been abused by surveillance-for-hire vendors to create exploits able to transmit spyware — as well as prevent iPhones and Macs from installing configuration profiles.
The new mode is also expected to block wired connections to iPhones when they are locked, a method companies like Cellebrite have used to access data from devices to search for digital evidence in law enforcement operations.
While spyware companies have maintained that they license the sophisticated technology to help governments thwart national security threats, it’s been repeatedly abused to surveil civil society members, turning their phones into remote listening devices.
What’s trending in security?
🚨 An anonymous threat actor, identified only via the handle “ChinaDan,” has taken to a cybercrime forum with an offer to sell what they claim is a vast cache of records containing names, addresses, national IDs, phone numbers, and police and medical data of over a billion Chinese civilians – allegedly stolen from the Shanghai Police for 10 bitcoin.
If confirmed, it would mark one of history’s largest leaks of personal data. Given the market for stolen data, the trove, allegedly amounting to 23 terabytes of information, could be used as an ammunition for phishing attacks, scams, and worse, identify theft. The data is said to have accessible publicly at least since April 2021.
“But even as Beijing’s appetite for surveillance has ramped up, authorities have appeared to leave the resulting databases open to the public or left them vulnerable with relatively weak safeguards,” the NYT reported.
Questions remain about how the unknown hackers apparently gained access as official authorities have remained silent about the how the breach, if true, took place. At any rate, the purported data underscores the staggering scale of government data collection in China and the risks associated with collecting and storing vast amounts of sensitive personal data online.
That said, Vinny Troia, founder of dark web intelligence firm Shadowbyte, said the theft of nearly one billion Chinese citizen’s data from a Shanghai police database occurred because the dashboard for managing and accessing the data was set up on a public web address and left open without a password, allowing anyone with relatively basic technical knowledge to copy or steal the trove of information. To make matters worse, the leak has spurred a major spike in personal records from China appearing on cybercriminal marketplaces. [The Wall Street Journal / The New York Times / The Washington Post / CNN / TechCrunch / Cybersixgill / Dark Reading]
⚠️ While legitimate adversary simulation software like Cobalt Strike has been repeatedly exploited by threat actors, there are now signs that hackers are shifting away from the post-exploitation toolkit instead embracing Brute Ratel C4 (BRc4). First released in December 2020, BRc4 offers a level of sophistication similar to that of Cobalt Strike and has been specifically designed to evade detection by endpoint security software. [The Hacker News]
💲 The LockBit ransomware gang announced the launch of LockBit 3.0, a new ransomware-as-a-service offering, and the first-ever bug bounty program, indicating that cybercriminal gangs have reached a level of maturity that rivals the organizations they target. Rewards, a sign of actors reinvesting some of the profit in their own security, go up to $1 million for vulnerabilities and “brilliant ideas” on how to improve their software. The development comes shortly after the notorious Conti ransomware group disbanded, and as LockBit emerged as one of the most prolific ransomware gangs in operation — accounting for almost half of all known ransomware attacks in May 2022. [The Hacker News / SecurityWeek / Bleeping Computer]
💵 A group of threat actors from North Korea have been targeting small and midsize businesses (SMBs) with H0lyGh0st ransomware since June 2021, making it the second ransomware family reported in recent weeks to come out of North Korea after Maui. While the ransomware activity is something of a deviation from their recent history of financial heists, North Korean threat actors are no stranger to ransomware, as seen with the high-profile 2017 WannaCry ransomware attack. [The Hacker News]
📧 Nation-state actors from China, Iran, North Korea, and Turkey have been targeting the work email accounts of journalists as phishing inroads in cyber espionage campaigns since early 2021. [The Hacker News]
🪲 HackerOne fired one of its employees for collecting bug bounties from its customers after alerting them to vulnerabilities in their products — bugs that were previously submitted to the companies via the HackerOne platform. [The Hacker News]
📄 Phishing emails containing bogus documents have been spotted using the Royal Road RTF weaponizer to infect telecom entities in Russia with the Bisonal remote access tool. Both sets of malware have long been tied to various Chinese-aligned hacking efforts, making attribution to a single actor difficult. That said, the campaign underscores the tactics Chinese APT actors have used to conduct espionage-motivated activities against an ever-expanding array of targets, including allies like Russia, at an increasing rate. [The Hacker News]
❌ Microsoft said it’s temporarily rolling back a change in Office to block macros by default to make further usability changes. The disabling of Office macros by default has been seen as a huge step forward in securing a tried and tested attack path for threat actors, who have abused the feature for deploying malware via spear-phishing attacks. [The Hacker News]
💰 A massive phishing campaign has been targeting Microsoft 365 users in over 10,000 organizations since September 2021 and successfully bypassing multi-factor authentication (MFA) account protections. The end goal is to access finance-related emails from the compromised mailboxes and to hijack ongoing email threads to commit payment fraud and mount business email compromise (BEC) campaigns against other targets. [The Hacker News]
🔐 The National Institute of Standards and Technology (NIST) announced the first group of four encryption tools designed to tackle the looming threat of quantum computers. The need for post quantum cryptography (or quantum-resistant encryption) is driven by the increasing belief that quantum computers with mature enough over the next decade to crack current public-key systems that are used to secure communications today. [The Hacker News]
💭 Motherboard published sections of the code used by Anom, the FBI operation in which the agency intercepted messages from thousands of encrypted phones worldwide. The code shows that the messages were secretly duplicated and sent to a “ghost” contact hidden from the users’ contact lists. This ghost user, in a way, was the FBI and its law enforcement partners, reading over the shoulder of organized criminals as they talked to each other. [Motherboard]
🎲 An advanced persistent threat (APT) group dubbed Earth Berberoka (aka GamblingPuppet) has been discovered primarily targeting online gambling sites in China. [Trend Micro]
🔑 PyPI, the largest package manager for Python libraries and software components, mandated two-factor authentication for maintainers of “critical” Python projects. The decision is an attempt to improve the supply chain security of the Python ecosystem and echoes a similar decision by GitHub and NPM to enforce 2FA earlier this year. [The Hacker News]
🔓 Some microprocessors from AMD and Intel are vulnerable to a newly discovered Spectre-like attack called Retbleed that can covertly leak password data and other sensitive material, prompting the chipmakers to issue software updates for what’s become a stubbornly persistent vulnerability. The issue, the latest addition to the family of speculative execution attacks that began with Meltdown and Spectre, aims to undo a line of defense introduced in 2018 dubbed Retpoline to prevent speculative execution attacks. The mitigations will incur an additional computational overhead measured to be between 12% and 28%. [The Hacker News]
🚗 Honda said it’s working to address a spate of recently-discovered vulnerabilities dubbed Rolling-PWN in the rolling code mechanism used in its keyless entry systems (aka key fobs) for vehicles dating back to 2012 that could be abused to unlock cars at will. [The Record]
🚩 The Log4Shell security flaw that came to light late last year has been characterized as an “endemic vulnerability” that’s expected to plague organizations for years to come as exploitation evolves. While there have not been any significant Log4j-based attacks on critical infrastructure systems, the fact that the logging library is deeply embedded in systems poses significant risks as threat actors shift tactics. [U.S. Cyber Safety Review Board]
⭕ One of the first public researches on Google’s Fuchsia OS has uncovered a method to hijack the control flow and plant a rootkit in the kernel space of the underlying operating system. [Alex Popov]
⚡ A newly observed phishing campaign is leveraging the recently disclosed Follina security vulnerability to distribute a previously undocumented backdoor on Windows systems. This is the latest in a long line of threat actors exploiting Follina to distribute different malicious payloads, including the AsyncRAT remote access Trojan and another unnamed malware for stealing cookies and save login data from browsers such as Chrome, Edge and Firefox. [The Hacker News]
🏭 Threat actors are targeting systems in industrial control environments with backdoor malware such as Sality hidden in fake password-cracking tools. The tools, being touted for sale on a variety of social media websites, offer to recover passwords for programmable logic controllers (PLCs) used in industrial environments. [The Hacker News]
🔍 Joshua Schulte, a former Central Intelligence Agency computer engineer, has been convicted of leaking a large tranche of classified material to WikiLeaks in 2017 that revealed some of the agency’s most powerful hacking techniques. The Vault 7 dump showed that the CIA had developed the capability to hack into smart TVs and turn them into surveillance devices as well as penetrate a wide range of desktop and mobile operating systems and widely-used communication services like Skype and antivirus software. [The Hacker News]
📱 A new forensic investigation found that at least 30 Thai activists and lawyers had their iPhones compromised by Pegasus, a spyware strain developed and sold by Israeli surveillance company NSO Group. It’s capable of gathering sensitive data and monitor victims’ movements and online activity in real-time. Since Pegasus first came to light in August 2016, the company has claimed that it has only sold the tool to official law enforcement agencies to tackle serious crime. But a series of probes have unearthed a pattern of misuse to target civil society members. [The Hacker News]
💻 A previously unknown macOS backdoor, called CloudMensis, has been spotted gathering information from victims by exfiltrating documents, keystrokes and screen captures from compromised Macs. While its exact distribution method couldn’t be pinpointed, it’s believed to have targeted 51 victims between February and April 2022 as part of a targeted operation. The provenance of the threat remains unknown. [The Hacker News / Dark Reading]
🚀 Cybercriminals posing as legitimate investment firms and cryptocurrency exchanges have stolen $42.7 million from 244 victims by convincing them to download rogue mobile apps and deposit cryptocurrency into wallets owned by the perpetrators, according to a new FBI advisory. The fraudsters even went so far as to create fake websites using the info as part of their ruse to gain the trust of investors. In the past, North Korea-backed Lazarus hackers have targeted cryptocurrency and blockchain companies with malicious crypto-stealing apps. The group has since shifted its attention to blockchain bridges, as evidenced in the case of Ronin Bridge and Harmony. [The Hacker News / The Register]
📍 As many as six severe flaws have been disclosed in a widely used GPS tracker from MiCODUS that could pave the way for disrupting fleet operations and tracking individual vehicles. The unpatched issues could allow a remote attacker to take complete control of the GPS tracker, giving them access to location and other information, and allowing them to disarm alarms and cut off fuel. If anything, the vulnerabilities underscore the risks posed by Internet of Things (IoT) devices that have not benefited from adequate attention to security design and audits. [The Hacker News]
🔔 Government agencies of Afghanistan, India, Italy, Poland, and the U.S. have been targeted by a malicious phishing campaign designed to drop remote access trojans like AysncRAT and LimeRAT to steal sensitive data. [Trellix]