Attackers are betting that the hype around generative AI (GenAI) is attracting less technical, less cautious developers who might be more inclined to download an open source Python code package for free access, without vetting it or thinking twice.

Source: Adrian Vidal via Alamy Stock Photo

Two Python packages claiming to integrate with popular chatbots actually transmit an infostealer to potentially thousands of victims.

Publishing open source packages with malware hidden inside is a popular way to infect application developers, and the organizations they work for or serve as customers. In this latest case, the targets were engineers eager to make the most out of OpenAI's ChatGPT and Anthrophic's Claude generative artificial intelligence (GenAI) platforms. The packages, claiming to offer application programming interface (API) access to the chatbot functionality, actually deliver an infostealer called "JarkaStealer."

"AI is very hot, but also, many of these services require you to pay," notes George Apostopoulos, founding engineer at Endor Labs. As a result, in malicious circles, there's an effort to attract people to free access, "and people that don't know better will fall for this."

**Two Malicious "GenAI" Python Packages**

About this time last year, someone created a profile with the username "Xeroline" on the Python Package Index (PyPI), the official third-party repository for open source Python packages. Three days later, the person published two custom packages to the site. The first, "gptplus," claimed to enable API access to OpenAI's GPT-4 Turbo language learning model (LLM). The second, "claudeai-eng," offered the same for ChatGPT's popular competitor, Claude.

Neither package does what it says it does, but each provide users with a half-baked substitute — a mechanism for interacting with the free demo version of ChatGPT. As Apostopoulos says, "At first sight, this attack is not unusual, but what makes it interesting is if you download it and you try to use it, it will kind of look like it works. They committed the extra effort to make it look legitimate."

Under the hood, meanwhile, the programs would drop a Java archive (JAR) file containing JarkaStealer.

JarkaStealer is a newly documented infostealer sold in the Russian language Dark Web for just $20 — with various modifications available for $3 to $10 apiece — though its source code is also freely available on GitHub. It's capable of all the basic stealer tasks one might expect: stealing data from the targeted system and browsers running on it, taking screenshots, and grabbing session tokens from various popular apps like Telegram, Discord, and Steam. Its efficacy at these tasks is debatable.

**Gptplus & claudeai-eng's Year in the Sun**

The two packages managed to survive on PyPI for a year, until researchers from Kaspersky recently spotted and reported them to the platform's moderators. They've since been taken offline but, in the interim, they were each downloaded more than 1,700 times, across Windows and Linux systems, in more than 30 countries, most often the United States.

Those download statistics may be slightly misleading, though, as data from the PyPI analytics site "ClickPy" shows that both — particularly gptplus — experienced a huge drop in downloads after their first day, hinting that Xeroline may have artificially inflated their popularity (claudeai-eng, to its credit, did experience steady growth during February and March).

"One of the things that \[security professionals\] recommend is that before you download it, you should see if the package is popular — if other people are using it. So it makes sense for the attackers to try to pump this number up with some tricks, to make it look like it's legit," Apostopoulos says.

He adds, "Of course, most average people won't even bother with this. They will just go for it, and install it."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Faux ChatGPT, Claude API Packages Deliver JarkaStealer

Nosebeard Labs has identified a critical vulnerability in the Apple system wide web content filter that allows a full bypass of content restrictions. This vulnerability, which occurs specifically when Screen Time content filtering settings are enabled, permits users or attackers to access restricted websites in Safari without detection. The timeline in this advisory is probably the most interesting thing to note. It shows a Fortune 10 ignoring a concern for years until a news article gets written, and that is truly disappointing. Do better Tim.

    Dear colleagues,Nosebeard Labs is pleased to share its latest advisory, detailing a bypass of Apple's system wide web content filter. The HTML version of this advisory is also available at:https://nosebeard.co/advisories/nbl-001.htmlWarmest regards,Nosebeard Labs## SummaryNosebeard Labs Security Advisory NBL-001Title: Apple web content filter bypass allows unrestricted access to blocked content (macOS/iOS/iPadOS/visionOS/watchOS)Advisory ID: NBL-001Date: 2024-11-15Severity: Critical (CVSS 9.1)Affected Product: Safari on any Apple device with Screen Time enabledCVE ID: CVE-2024-44206## OverviewNosebeard Labs has identified a critical vulnerability in Apple’s system wide web content filter that allows a full bypass of content restrictions. This vulnerability, which occurs specifically when Screen Time’s content filtering settings are enabled, permits users or attackers to access restricted websites in Safari without detection. By exploiting a misalignment between Screen Time’s Access Control List (ACL) and WebKit’s URI validation, a specially crafted URI can circumvent both layers of protection.Apple has assigned CVE-2024-44206 to this issue and issued a fix for macOS Sonoma 14.x, iOS/iPadOS 17.x, watchOS 10.x, visionOS 1.x, Safari 17.x and up.However, a fix is still pending for the backport channels.## DescriptionThis vulnerability arises when the WebKit Cocoa layer in Safari ingests a URI without performing comprehensive validation, combined with a failure by the Screen Time ACL filter to recognize and block the malformed URI. The flaw allows a crafted URI to bypass all Screen Time content filtering settings, including deny/allow lists and parental content filters, providing unrestricted access to blocked content.## Affected SystemsThis vulnerability affects all devices on macOS, iOS, iPadOS, watchOS and visionOS platforms with Safari and Screen Time enabled, impacting an estimated 250 million devices globally.## Attack ScenariosThe vulnerability can be exploited both locally and remotely:1. Local Exploitation: Users can manipulate the address bar to manually enter a crafted URI, bypassing Screen Time restrictions.2. Network-Based Exploitation: Attackers can load restricted content remotely by embedding a crafted URI within an iframe, bypassing restrictions without requiring user interaction.## Impact1. Confidentiality: Unrestricted access to restricted websites compromises the confidentiality of content filtering controls, potentially exposing sensitive or inappropriate material.2. Scope and Integrity: This vulnerability spans across two separate security mechanisms (Screen Time and WebKit), representing a critical architecture-level issue. Additionally, accessing unsecured or unlogged resources poses potential integrity risks.## CVSS ScoreVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:NScore: 9.1 (Critical)## MitigationsUpgrade to the latest iOS/iPadOS 17.x or 18.x / macOS Sonoma 14.x  / visionOS 1.x / watchOS 10.x / Safari 17.6 respectively. Users who are unable to apply a fix can contact us for more info.## Vendor ResponseApple has issued CVE-2024-44206 and supplied a fix within WebKit; however, a fix remains pending for iOS/iPadOS version 16.x. We recommend that Apple undertake further review to address the issue comprehensively.## Timeline–Milestone:2020-11-24 Vulnerability discovered internally at NBL–Milestone:2021-03-08 Initial disclosure to Apple Product Security–2021-03-09 Apple Product Security recommends to open a bug report on Feedback Assistant2021-03-10 We opened a bug report on Feedback Assistant as advised by Apple Product Security2021-03-15 We follow-up by adding additional info to the open bug report on F.A.2021-08-16 We follow-up again referring Apple Product Security to open ticket, stressing that the issue can be also demonstrated in their EU Apple Stores2021-08-24 We follow-up again to Apple Product Security, referring to the previous follow-up2021-08-25 Rejected by Apple Security - “We do not see any actual security implications. We recommended reporting this issue via Feedback Assistant”2024-03-18 NBL submits a second report 3 years later to appeal via Apple Security Bounty Program, urging to re-evaluate, also providing PoC code2024-03-19 Apple Security Research closes report - “We’re unable to identify a security issue in your report” - “Screen Time is not intended to protect a device against manipulation” - “We recommend reporting this via Feedback Assistant”2024-04-02 Status of Bug Report on F.A. from 2021-03-10 “Open, Similar Reports None”2024-04-03 We follow-up again asking Apple Security for a final reassessment, providing a temporary workaround2024-04-03 Apple Security recommends opening a bug report - “ST is not intended to protect a device against manipulation” - “MDM profiles provide configuration management but do not establish additional security boundaries beyond what iOS and iPadOS have to offer.”2024-05-05 Initial contact with Joanna Stern of WSJ2024-05-06 Referring PSIRT ticket # directly to an Apple PSIRT contact via undisclosed SOC - no response2024-05-28 Joanna Stern/WSJ runs Apple through this2024-05-29 Apple commits patches to Safari branch–Milestone:2024-06-05 Wall Street Journal addresses our finding in their article “A Bug Allowed Kids to Visit X-Rated Sites. Apple Took Three Years to Fix It.” by Joanna Stern–2024-06-18 We follow-up again with Urgent request for re-evaluation to Apple Product Security (“Addendum”)2024-06-27 We follow-up on our follow-up Update Request Screen Time Security Vulnerability Report (“Follow-Up”)2024-07-23 Apple releases fix in iOS 17.6RC et al.2024-07-26 Letter to Apple welcoming first fix, reiterating our dedication to Responsible Disclosure, intended to coordinate further disclosure process and close the affair asking them to give credit and align to their SBP–Milestone:2024-07-29 Apple releases fixes for macOS Sonoma 14.6, iOS/iPadOS 17.6, watchOS 10.6, visionOS 1.3 and Safari 17.6, leaving iOS/iPadOS 16.x still affected.–2024-07-31 Apple responds “ST is not intended to protect a device from malicious manipulation, and bug reports on features like this are therefore typically ineligible for credit or Apple Security Bounty award. However, we’d like to make an exception and award you USD (...)* as a thank you for your report. Also, we’d like to credit you on our security advisory under the ‘Additional recognition’ section of the page.” *We were offered the minimum possible amount.2024-08-01 We inquire about the bounty amount asking Apple to “comment on our proposed evaluation under the CVSS metrics, sharing with us their transparent assessment of the vulnerability under the terms and broad criteria of the bounty program.”2024-08-01 Apple “appreciates our suggestions, but CVSS scores are not something that they publish to their security advisory.”2024-08-03 Patches merged with public WebKit branch2024-08-19 We are reaching out to Apple again “Ringing the escalation bell for the SBP team”2024-08-23 Apple Product Security advises a call2024-09-10 Apple Security rejects adjustment of the bounty as “out of scope/edge case policy” in the call, offering a $20,000 charity donation instead We request Apple to assign a CVE.–Milestone:2024-10-17 Apple follows-up with CVE-2024-44206 and an update to the advisorieshttps://support.apple.com/en-us/120909https://support.apple.com/en-us/120911https://support.apple.com/en-us/120913https://support.apple.com/en-us/120915https://support.apple.com/en-us/120916–2024-10-23 We follow-up one more time to request a further review of the severity and reward2024-11-02 NBL-001 advisory draft shared with Apple2024-11-14 Apple requests naming their charity offer among bounty payout details, leaving out further comments on the contents of the advisory itself.2024-11-15 NBL-001 published## ContactFor more information, please contact Andreas Jaegersberger or Ro Achterberg from Nosebeard Labs at labs@nosebeard.co.## Special ThanksMuch love goes out to Joanna Stern for her incredible support in making this happen.We also want to thank Aaron Kaplan for the tailwind throughout the journey and Arnoud Engelfriet for the rapid legal advice.Buongiorno to the cap’n <3

Apple Web Content Filter Bypass

Apple Security Advisory 11-19-2024-5 - macOS Sequoia 15.1.1 addresses code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-11-19-2024-5 macOS Sequoia 15.1.1

macOS Sequoia 15.1.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121753.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

JavaScriptCore  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to arbitrary  
code execution. Apple is aware of a report that this issue may have been  
actively exploited on Intel-based Mac systems.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 283063  
CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's Threat  
Analysis Group

WebKit  
Available for: macOS Sequoia  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack. Apple is aware of a report that this issue may  
have been actively exploited on Intel-based Mac systems.  
Description: A cookie management issue was addressed with improved state  
management.  
WebKit Bugzilla: 283095  
CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's Threat  
Analysis Group

macOS Sequoia 15.1.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JSQACgkQX+5d1TXa  
Ivo92g/8Dm9sVuOeQTu56JLi2yAlbu9NK8Udb4ByFIsi63HWksJ6rK9LzZfTF8Yd  
Z3SBk7aIHl9tMj2gJ6QJ71SwCdN/fTnAC9na5fZwUjdsjuH1uoPmiMSA48MDwmQC  
vf6grIhskLNi0bQrpcKR1C79fmGlO7Nua3zmbvdvs41/3g3A7udvf2KpZTkkDrP4  
+zwsVCJCu4xHTo5bU0NrM/Cbon+TO01/gyhnngZzl65bIPkhyeEDiVHW3K6aKDA8  
XpClgMGe7ZIRao0hmqqK+YYPso/yDdUDpHlfEFL/YYseVThd+t6EPn4irWFPCPTv  
usiMVUpOpqmMHfPaVO/uzwDR/wgpB8ws4BsBjytQ2q5ZZgyxsIUx6cEJazgbRXtI  
UIJWgodel8AClhWrRo8c14rIuUH1jqMh8EcbimFdC62vSivuNgwNdBd5U2wRnELr  
w1I65s3u7f3Qly8himbl+41ueYcgInsVld7206tk8Ygmm7zA4kupLBEH+EeK43c3  
2P0NF7CMQCnJcwbEqusIUi8AOSN2VgGi9E6BjjJGnLhbbieX/ssKTTbv+mt0ctyq  
5uB3WUZBDbhJKj8p/0+iBAlzZUJDkrudmy8No9Zc2ImTcZ61gP2Zbh/5lcI8hZu+  
SKOrc+1s5nRW1FcGXL2ZzjtnmXnU6DGFfN7stVtTmVAg4dEWzeo=  
=IY5p  
-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-5

Apple Security Advisory 11-19-2024-4 - iOS 17.7.2 and iPadOS 17.7.2 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-4 iOS 17.7.2 and iPadOS 17.7.2iOS 17.7.2 and iPadOS 17.7.2 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121754.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1stgeneration and later, iPad Air 3rd generation and later, iPad 6thgeneration and later, and iPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 17.7.2 and iPadOS 17.7.2".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JGcACgkQX+5d1TXaIvqaMhAArOKmA61hgLNGofjznuKQo6Jc42iPl7a/ZiB2Tq5ynZKPIGmGiM3HdJQ8bbifOgpkmNcA3h1OUlXnnkbdehq6d8MzI9WSn6uHdgWZ5LqLMXOWgsEF5Hwwmm7zaqTaqMv4fV2J6w2wTcoL5XptxGXiEi37/GzcureD3hvL+nRAAzR6c/gRXmcEjGL7pVTNJA0C8VyY9kG+Uc7ia2m5Riux2jsYzWYppPfCwUFeo3bQDexG7WsiHa00OZN+HkNS5/1t/7hftJZ+w/PbVnEK23Dm962NQgCrcFKGnbjNGJQlIjl+xfbi6BuQ6lJJZAI+3WqPHXLAMCcae/DfERqXWnJu8fTMfCwCbQVx185Cih+mtH0oc4MtPtiZdhi8TxZpVGZHYjLJa9VANTrNzkAmFflnhAC4tAG2FXx3ld3t/8u9Fhv0oyTa5HlzVYJ/WJgK32eT7I1h7Oqrp49KZcMIM8H6ZwNXYOI+Rf7GXdEN2y9Qhb+IOvdilTrCTpzRl6Gu6fBwH0G0UGHRktnBPlryJdOg26J1iVBZg6/K/CSjQizWdDXN/Nq4YwI17Eq4HtFdtOtrs5n0bDz+fsfGbsieTyUz1BUet2xLzPECfD4nYEKmckD1d/dRylc3vK9YGOCp1nWDoPSKnmkU9Il2SFAIuEM9o60lCN7PMWBrC9zYXMAxFmY==+VKC-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-4

Apple Security Advisory 11-19-2024-3 - iOS 18.1.1 and iPadOS 18.1.1 addresses code execution vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-11-19-2024-3 iOS 18.1.1 and iPadOS 18.1.1iOS 18.1.1 and iPadOS 18.1.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/121752.Apple maintains a Security Releases page athttps://support.apple.com/100100 which lists recentsoftware updates with security advisories.JavaScriptCoreAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to arbitrarycode execution. Apple is aware of a report that this issue may have beenactively exploited on Intel-based Mac systems.Description: The issue was addressed with improved checks.WebKit Bugzilla: 283063CVE-2024-44308: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch3rd generation and later, iPad Pro 11-inch 1st generation and later,iPad Air 3rd generation and later, iPad 7th generation and later, andiPad mini 5th generation and laterImpact: Processing maliciously crafted web content may lead to a crosssite scripting attack. Apple is aware of a report that this issue mayhave been actively exploited on Intel-based Mac systems.Description: A cookie management issue was addressed with improved statemanagement.WebKit Bugzilla: 283095CVE-2024-44309: Clément Lecigne and Benoît Sevens of Google's ThreatAnalysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/iTunes and Software Update on the device will automatically checkApple's update server on its weekly schedule. When an update isdetected, it is downloaded and the option to be installed ispresented to the user when the iOS device is docked. We recommendapplying the update immediately if possible. SelectingDon't Install will present the option the next time you connectyour iOS device.The automatic update process may take up to a week depending onthe day that iTunes or the device checks for updates. You maymanually obtain the update via the Check for Updates buttonwithin iTunes, or the Software Update on your device.To check that the iPhone, iPod touch, or iPad has been updated:* Navigate to Settings* Select General* Select About. The version after applying this update will be"iOS 18.1.1 and iPadOS 18.1.1".All information is also posted on the Apple Security Releasesweb site: https://support.apple.com/100100.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmc9JA8ACgkQX+5d1TXaIvrGzw/+PXf2fGgzCN5of6OYK0sWiJRRLZoL0uSZ9dOaD7I0/CyAx91Mv4OyH9Vveo9k84ZABNk4IO401WWLM8XSRSVILTcskT+SdXZrtOMYvmtUHUPKI35OWf1GBFdkgfnnFSRYf/B+WWb4PV0iO01lyFQVU5qDLcrUCAUQLwighfAX2yEn+Zml3NX6i2E5o2Rhc93Nac5a2cIcOGOSKrwsor0sh8NkAl9DcyPW6i6K3t59lUjiUY9XZQtEi6AyrChA84mo6Hb8wLwVIY17b8LVuruOSn3xg+Cc5eO5bOXp1O5lnR3dhuiZ2bl5BKawrp8+MDRsBZuTPS0k2Di3rmzuZ/GnvaQdtQKhcbOQ7tWW6evk/8TnFwlULaCr26OVbuLj0NWJ7GJYWpPuRWO0lFy9z9Fjdk4n+ptA7qmSWrhbdl+/uwUxJA5X58pVRWeWBExGP3S/ST/5YgAfZXBjHuDLiHKMOtQ3PktaMuEWhLFgGXNllXGQDihL4lS/XUQ1/E+mpWyY+kAbjtmCYlpez5MgeLkVv66yEWhOhsBMNIM+jkkRjktJo2SfhJMSryNLQlY37zn/VWf8Av+L60YoZhoMmx7DJLIr+HI257zbIE35CVZ+badn18d3eA+fq3RPtsDD8nlUePyZeNhEvc30Y5hXsIyK+Z0Ny+JgJfP1E6BeAJjjci0==ifwz-----END PGP SIGNATURE-----

Apple Security Advisory 11-19-2024-3

In a sign of the times, a backdoor malware whose ancestors date back to 2005 has morphed to target Linux systems.

Source: Imagebroker via Alamy Stock Photo

Two well-documented Chinese backdoors have recently been modified to operate on Linux systems.

The advanced persistent threat (APT) "Gelsemium" is a decade old now, and the new malware tied to the group, Wolfsbane and Firewood, can trace their lineage back to 2005. Throughout its history, Gelsemium has focused on information gathering from Windows systems. Now, it has adjusted its tooling to operate just as effectively in Linux environments.

This, experts say, is merely the latest manifestation of a long-brewing trend.

"The Linux malware landscape is certainly accelerating," says Jason Soroko, senior fellow at Sectigo. "The increase does make sense, as organizations have heavily adopted Linux for their back office server needs, both on premises and in the cloud. Adversaries are developing cross-platform malware to maximize their reach."

**The Wolfsbane & Firewood Backdoors**

The first public sample of the first new backdoor, dubbed Wolsbane, was uploaded to VirusTotal on March 6, 2023, from Taiwan, with later uploads coming from the Philippines and Singapore (historically, Gelsemium has targeted entities in the Middle East and East Asia).

Contextual evidence suggests that the malware's authors have been exploiting vulnerabilities in Java Web applications to access public-facing Apache Tomcat servers. And a deeper look inside reveals unmistakable overlaps with Gelsevirine, a Windows backdoor known to be used by Gelsemium. In essence, the Wolfsbane malware was a Linux port of Gelsevirine, featuring a modified Beurk Experimental Unix RootKit to hide its various malicious activities.

Alongside Wolfsbane, though not definitively attributable to Gelsemium, was a second Linux-ported backdoor, Firewood. An addition to its varied and typical backdoor capabilities, it possesses a kernel-level rootkit. 

Most interestingly, Firewood appears to be the latest evolution of "Project Wood," a phylum of a backdoor that traces back generations to a program first compiled in January 2005. The latest manifestation of Project Wood before Firewood, NSPX30, was reported earlier this year.

**What Explains the Surge in Linux Cyber Threats?**

Cyber threats rise across the board every year, but the particular rise in Linux-based threats stands out. 

Since at least 2020, vendors have tracked double- and triple-digit year-over-year increases in Linux attacks. In its annual "Global Threat Report," Elastic Security has regularly found that the Linux threat landscape vastly outpaces that of macOS, more closely resembling Windows in terms of sheer volume of attacks. In 2023, for example, it found that 54% of endpoint attacks affected Linux-based devices, compared with just 39% for Windows.

Over the past 12 months, around 32% of malware infections have targeted Linux, according to Jake King, Elastic's head of threat and security intelligence. "While steadily increasing, we are seeing greater volumes of attacks and, in some cases, with greater levels of sophistication. The XZ/Liblzma backdoor discovered by researchers earlier this year shows the desire of adversaries to compromise Linux hosts, likely for a variety of reasons, growing in sophistication to supply chain compromise," he says.

The rising threats to Linux may be attributable to an increasing adoption of Linux in enterprise environments, as Soroko alluded to, or the generally improving state of Windows security — the explanation ESET went with in its blog post — or an explanation even simpler.

"One of the reasons for growing observations can always be targeted to adversarial focus changing, but it is also likely that security tooling and telemetry for Linux hosts are improving at a pace whereby attacks are identified earlier, with a greater level of context," King suggests. For example, "A growing trend for threat observations this year was Impaired Defenses for Linux, showing that adversaries are specifically looking to bypass security tools native to Linux or disable third-party security tools. This is important, as it shows we're exposing many attacks that would have previously gone undetected years ago."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APT Gelsemium Deploys 'Wolfsbane' Linux Variant

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search…

The DOJ proposes tough proposals in its antitrust lawsuit against Google, including selling the Chrome browser, limiting search deals, and restructuring its operations to limit monopoly.

As part of its antitrust lawsuit against Google, the U.S. Department of Justice (DOJ) has proposed major changes that could entirely change the tech giant’s business structure and its role on the Internet.

The DOJ’s latest filing seeks the divestiture of key Google assets, including its Chrome browser, and calls for structural changes that could impact Android and its search operations. Google has strongly criticized the proposals, framing them as a threat to innovation, security, and consumer choice.

****Background of the Lawsuit****

The DOJ first filed its antitrust lawsuit against Google **in October 2020**, accusing the company of abusing its dominance in the search engine market to squash competition. The case focuses on Google’s search distribution agreements with major partners, such as Apple, Mozilla, and smartphone manufacturers, which allegedly back its **monopoly** by making Google Search the default on browsers and devices.

The DOJ argues that these practices harm competition by blocking rival search engines from gaining a foothold in the market. Central to the case is the allegation that Google’s actions prevent fair competition and innovation, ultimately harming consumers.

****What the DOJ Proposes****

Hackread.com analysed the DoJ’s **latest filing (PDF)**. Here’s what the Department has outlined and proposed to end Google’s dominance:

*   **Divestiture of Chrome and Possibly Android**: The DOJ suggests that Google sell its Chrome browser and its Android operating system to limit its control over internet access points.
*   **Search Choice Screens**: The proposal requires Google to implement choice screens, where users select their preferred search engine on devices like Google Pixel phones. This design must be approved by a newly proposed “Technical Committee.”
*   **Data Sharing Requirements**: Google would be required to share search data and innovations with competitors, including foreign companies.
*   **Ban on Default Search Agreements**: The DOJ aims to prohibit Google from entering into agreements with partners like Apple or Mozilla to make Google Search the default engine.

The DOJ has framed these measures as necessary to ensure fair competition and restore balance to the digital marketplace.

****Google’s Response****

In response, Google has strongly pushed back against the DOJ’s proposals, describing them as extreme, radical interventionist agenda, and harmful to consumers. In a **blog post** published November 11, 2024, Google argued that the proposals would:

*   **Compromise Privacy and Security**: Divesting Chrome and Android could lead to increased risks for user data and diminish the security features Google has built into these platforms.
*   **Stifle Innovation**: Google warned that the measures could chill investment in cutting-edge technologies, particularly in artificial intelligence, where the company is a global leader.
*   **Hurt Partners and Developers**: Google claims the proposals would harm partners like Mozilla, whose Firefox browser relies on revenue from Google’s search placement agreements.
*   **Introduce Overregulation**: Google criticized the creation of a Technical Committee with broad powers to oversee its operations as an unprecedented overreach.

Google maintains that its dominance in the search market is due to offering “the industry’s highest quality search engine,” not through unfair practices. The company plans to submit its own proposals and continue its legal battle into the next year.

> DOJ had a chance to propose remedies related to the issue in this case: search distribution agreements. Instead, DOJ chose to push a radical interventionist agenda that would harm Americans and America’s global technology leadership. https://t.co/QslGbUyklR
> 
> — News from Google (@NewsFromGoogle) November 21, 2024

****Industry-Wide Implications****

If the DOJ’s proposals are implemented, the tech industry could see a major change in power dynamics and business practices:

*   **Impact on Browser and Operating System Markets**: Forcing Google to sell Chrome and potentially Android would create opportunities for competitors, but it might also disrupt the user experience for millions who rely on Google’s integrated ecosystem.
*   **Search Market Competition**: Measures like search choice screens could pave the way for smaller search engines to gain traction, but critics argue that such interventions may confuse users and lead to inferior experiences.
*   **AI Development**: Google’s claims about reduced AI investment could have far-reaching consequences for advancements in automation, machine learning, and related industries.
*   **Global Technology Leadership**: The case raises concerns about U.S. competitiveness in technology, as the remedies could weaken one of the nation’s largest and most influential tech companies.

Nevertheless, the DOJ’s proposals mean a straightforward measure to limit one of the most powerful companies in the world, but the battle is far from over. Google has vowed to contest the measures, and the case will likely drag on for months if not years.

This legal battle will also challenge how we balance competition and innovation in the tech world. Its outcome could change how we use technology and online search for years to come.

1.  **ChatGPT’s Training Methods Challenged in Lawsuit**
2.  **Google Incognito: New Disclaimer Reveals Data Tracking**
3.  **$4B lawsuit claims Google tracked iPhone users’ activities**
4.  **DuckDuckGo says Google Incognito searches are not private**
5.  **HP Monopoly on Ink, Alleges 3rd-Party Cartridge Malware Risk**

DOJ Proposes Breaking Up Google: Calls for Sale of Chrome Browser

In US Senate testimony, a CrowdStrike exec explained how this advanced persistent threat penetrated telcos in Asia and Africa, gathering SMS messages, unique identifiers, and other metadata along the way.

Source: Jakub Krechowicz via Alamy Stock Photo

A newly unveiled threat actor has been spying on mobile phones in Asia and Africa for more than four years. 

On Nov. 19, Adam Meyers, senior vice president for counter-adversary operations at CrowdStrike, testified before the US Senate Judiciary Subcommittee on Privacy, Technology, and the Law, on the subject of Chinese cyber threats to critical infrastructure. In the process, he unveiled Liminal Panda, an advanced persistent threat (APT) hyper-focused on gathering intelligence from telecommunications networks.

Since 2020, Liminal Panda has been using network-based attacks to penetrate and pivot between telcos across geographic regions, gathering SMS messages, unique identifiers, and other metadata associated with mobile phones that could be of political or economic use to the Chinese state.

**Liminal Panda's MO**

Though the aim is to obtain data transmitted over telecommunications channels, a typical Liminal Panda attack might look a lot like any regular network breach.

"Your cellphone has a radio that talks to a tower, called a base station controller. And those things are connected, typically, by Internet-type protocols — network technology," Meyers explained. Where some attackers might focus on the towers and their transmissions, Liminal Panda targets the IT network infrastructure underpinning the system. "They're going to go in through the gateway of the telco, and inside there's going to be a lot of traditional IT systems."

Once inside a telco's network — so often staffed by outdated legacy systems — Liminal Panda has tools for collecting call and text records and other sensitive identifying data on large groups or individual targets. "When you send a text message from your mobile device, it goes to the tower via SMS that gets passed back into the core of the telco. Routing decisions are made, and then it goes to the next destination," he says. Liminal Panda malware acts on that interim step.

To facilitate the exfiltration of that information, the group's command-and-control (C2) setup emulates the Global System for Mobile Communications (GSM). GSM is a mobile communications standard that enables calling, texting, and the use of mobile data, and is the most widespread such standard in the world, used in more than 193 countries.

**Hopping Between Telcos**

Besides attacking specific telcos, Liminal Panda has also been observed hopping between them.

"When you go from one part of the country to another, or when you go from one country to another, you need to have interoperability. And there's a lot of infrastructure that goes into making that happen," Meyers said. Thing is: The open lines of communication between telecommunications providers, and their infrastructure over long distances, can also be weaponized. "There are multiple threat actors from China who really understand how telecommunications infrastructure works. They understand how it's all connected together, and they're able to abuse that in order to go between providers."

Though its understanding of industry-specific protocols helps, Liminal Panda also jumps between providers simply by abusing the Domain Name System (DNS). By the end of a campaign, the group has often established multiple, redundant routes for traveling between providers.

**China's End Goals**

Oppressive governments have long used telecommunications breaches to spy on foreign officials, internal political dissidents, journalists, and academics. "All of these groups are targeting telcos to perform bulk collection, because it gives them the opportunity to then \[hone in on\] an individual — see who they're texting, who they're calling, who they're with," Meyers explained.

If Liminal Panda is indeed working on behalf of China, as CrowdStrike assesses with admittedly low confidence, then this sort of spying might have a dual economic benefit as well. In his Senate testimony, Meyers highlighted how major national projects like the Belt and Road Initiative, Made in China 2025, the 2035 Vision, the Global China 2049, and the country's regular Five-Year Plans provide impetus for economic espionage.

"If you're doing a deal in that region, I want to know who you're meeting with. I can collect that information, if you're sending text messages about the deal," he says. "Or I can intercept them if you're meeting with somebody that is politically problematic for me."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

China's 'Liminal Panda' APT Attacks Telcos, Steals Phone Data

Though the information regarding the exploits is limited, the company did report that Intel-based Mac systems have been targeted by cybercriminals looking to exploit CVE-2024-44308 and CVE-2024-44309.

Source: Shahid Jamil via Alamy Stock Photo

Apple has released security updates to address two zero-day vulnerabilities that are under active exploitation in the wild.

The bugs, tracked as CVE-2024-44308 (CVSS 6.8) and CVE-2024-44309 (CVSS 4.3), are, respectively, a vulnerability in JavaScriptCore that could lead to arbitrary code execution; and a cookie management vulnerability in WebKit that could lead to a cross-site scripting (XSS) attack while processing malicious Web content.

The bugs affect Apple's iOS, iPadOS, macOS, visionOS, and the Safari Web browser; the company reports that it has addressed them with better checks and improved state management.

Clément Lecigne and Benoît Sevens at Google's Threat Analysis Group (TAG) first discovered and reported the vulnerabilities and, as is customary for the company, Apple did not provide any additional details of reported attacks nor did it offer indicators of compromise (IoCs).

"Apple is aware of a report that this issue may have been actively exploited on Intel-based Mac systems," Apple stated its advisory for both zero-days, the lone piece of information regarding in-the-wild exploitation attempts.

Those using affected Apple ecosystem products should update to iOS 18.1.1, macOS Sequoia 15.1.1, and  iOS 17.7.2 as soon as possible to avoid compromise.

**About the Author**

Apple Urgently Patches Actively Exploited Zero-Days

Apple has released security updates that look especially important for Intel-based Macs because they are already being exploited in the wild.

Apple has released security patches for most of its operating systems, including iOS, Mac, iPadOS, Safari, and visionOS.

The updates for iOS and Intel-based Mac systems are especially important, as they tackle vulnerabilities that are being actively exploited by cybercriminals. You should make sure you update as soon as you can.

To check if you’re using the latest software version, go to **Settings > General > Software Update**. It’s also worth turning on Automatic Updates if you haven’t already, which you can do on the same screen.

To determine whether your Mac is Intel-based or equipped with Apple silicon, follow these simple steps:

*   Click the Apple icon in the top-left corner of your screen.
*   Select **About This Mac**.
*   Check the information:
    
    *   If you see an item labeled Chip, your Mac has Apple silicon (like M1, M2, or M3).
    
    *   If you see an item labeled Processor, it indicates that your Mac is Intel-based, and the specific Intel processor name will be listed next to it.

**Technical details**

Because Apple does not share details until everyone has had a chance to update, it is hard to figure out what the exact problem is. But there are some things we can deduct from the given information.

The vulnerabilities that Apple says may have been actively exploited on Intel-based Mac systems are:

CVE-2024-44308: a vulnerability in the JavaScriptCore component. Processing maliciously crafted web content may lead to arbitrary code execution. This means that an attacker will have to trick a victim into opening a malicious file containing web content.

JavaScriptCore is the built-in JavaScript engine for WebKit that enables cross-platform development by providing a way to execute JavaScript within native iOS and macOS applications.

CVE-2024-44309: a cookie management issue in the WebKit component was addressed with improved state management. This issue is fixed in Safari 18.1.1, iOS 17.7.2 and iPadOS 17.7.2, macOS Sequoia 15.1.1, iOS 18.1.1 and iPadOS 18.1.1, visionOS 2.1.1. Processing maliciously crafted web content may lead to a cross-site scripting attack.

**We don’t just report on macOS security—we provide it.**

Cybersecurity risks should never spread beyond a headline. Keep threats off your Mac by downloading Malwarebytes for Mac today.

Tag

#apple