Law firms make the perfect target for extortion, so it's no wonder that ransomware attackers target them and demand multimillion dollar ransoms.

Source: the lightwriter via Alamy Stock Photo

2023 was the worst year on record for cybersecurity in the legal industry by some distance.

Just one point of evidence: Since 2018, 2.9 million records have been stolen in association with publicly reported breaches of law firms. Some 1.56 million records were stolen last year alone, an increase of 615% as compared with the down year of 2022 (218,473 records).

A new blog post from Comparitech paints a picture of an industry struggling to grapple with the ransomware problem. Major law firms have been paying multimillion dollar sums to protect their clients' ultra-sensitive data, and flailing in their attempts to fight back.

**The State of Legal Industry Cybersecurity**

Since 2018, 138 legal firms have publicly admitted being affected by ransomware attacks.

Of those, 107 attacks have been US-based, with approximately 2.9 million records affected. As Comparitech noted, the distance between the US and its next neighbors — the UK, with 9 attacks affecting 9,703 records, and Germany, with 5 affecting an unknown number — may have more to do with reporting requirements than anything else.

Source: Comparitech

Ransom demands vary widely. In 2021, the French law firm Cabinet Remy Le Bonnois paid the Everest group just $30,000 to resolve its attack. At the other end of the spectrum: REvil demanded $21 million from New York's Grubman Shire Meiselas & Sacks in 2020. The attackers doubled that amount to $42 million when the group discovered that Grubman's records included some belonging to Donald Trump. (The firm did not pay.)

The average ransom among publicly reported cases has been $2.47 million, and the average amount actually paid out after negotiations is $1.65 million. These numbers are rough estimates of reality, however, as only 11 reported incidents also reported the ransom demands, with only eight reported ransoms paid.

**Consequences to Law Firms**

If ransomware attacks against law firms have been trending, it's because they make for perfect targets.

"Legal firms are an interesting case," Paul Bischoff, privacy advocate at Comparitech explains, "because with most any other company, hackers are just looking for low-hanging fruit. They may want as many, say, Social Security numbers or passwords as they can possibly steal. And higher quantities of records is the goal. But with law firms, you have data that's very valuable to very specific people. Documents related to ongoing litigation would be extremely valuable to an opposing party in that case. So it's not so much about the quantity of data as much as it is about the content."

The ultra-sensitivity of legal data puts firms in a difficult negotiating position: pay millions of dollars, and risk achieving nothing, or don't, and risk extra ire from clients. 12% of legal industry ransomware attacks have resulted in lawsuits, and at least 75% of those have been successful.

Another reason to pay up? Comparitech estimates that the 138 attacks recorded might have cost victims around $18.8 billion dollars, purely thanks to the downtime they incurred. One victim of LockBit — the Ince Group, based in London — filed for bankruptcy last year after failing to cover the £5 million ($6.5 million USD) it spent restoring its systems.

Meanwhile, when victims try to use the law in their aid, they usually fail. The UK's Ward Hadaway and Australia's HWL Ebsworth Lawyers both issued injunctions against their attackers to little effect, as anonymous hackers aren't particularly easy to wrangle into court. Canadian firm Robson Carpenter LLP enjoyed seeing its attacker face justice, but in the end received just $2,500 in restitution.

On the bright side, ransomware attacks against law firms in 2024 are noticeably lagging behind last year's numbers. Only 11 have been reported so far, affecting an unknown volume of client data.

"Overall, ransomware attacks happen down in frequency of attacks across all sectors that we've been covering," Bischoff notes. Perhaps, he speculates, attackers have been choosing quality over quantity. Or, more optimistically, "I think it's law enforcement crackdowns, and companies and organizations getting better in general at knowing what these threats are and being prepared."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

More Legal Records Stolen in 2023 Than Previous 5 Years Combined

A malvertising campaign uses phishing to steal legitimate account pages, with the endgame of delivering the Lumma stealer.

Source: Hocus Focus Studio via iStock

Attackers are hijacking pages on Facebook to lure victims into downloading a legitimate artificial intelligence (AI) photo editor, but then serving up a widely distributed infostealer to rob users of their credentials instead.

The malvertising campaign, discovered by researchers at Trend Micro, exploits the popularity of AI and combines a variety of popular threat tactics, including phishing, social engineering, and the use a legitimate utility in a malicious way. The ultimate payload is the Lumma stealer, which targets sensitive information, including user credentials, system details, browser data, and extensions.

The attack hinges on the abuse of paid Facebook promotions, which attackers have leveraged to lure users into engagement and ultimately deliver malware, the researchers noted in a blog post today.

“Once the attacker gains control of the page, ads are posted promoting the AI photo editor, leading victims to download an endpoint management utility disguised as the photo editor,” Trend Micro threat researcher Jaromir Horejsi wrote.

Attackers also are taking advantage of the current attention on AI technology and tools associated with it by using these tools "as lures for malicious activities, which includes phishing scams, deepfakes, and automated attacks," he wrote.

So far, the malicious package associated with the campaign has generated about 16,000 downloads on Windows and 1,200 on macOS. However, the macOS version redirects to the Apple website instead of an attacker-controlled site, suggesting that attackers are only targeting Windows users with the campaign.

**Phishing Leads to Hijacked Pages**

A typical attack in the campaign starts before a potential victim even sees an ad. Attackers begin by sending phishing messages to owners of the targeted social media page to gain control of the page for their own malicious use. The sender account typically looks like an empty profile with randomly generated user names.

The phishing links in the messages are sent either as direct links or personalized link pages, such as linkup.top, bio.link, s.id, and linkbio.co, among others. Sometimes attackers even abuse Facebook's open redirect URL for these links to appear more legitimate.

If the page operator clicks on the links, they are presented with a screen to verify their information with a "Business Support Center" for Meta developers. Clicking on that screen's "Verify Your Information Here" link leads to a fake account protection page, "which in several subsequent steps, asks users for the information necessary to log in and take over their account, such as their phone number, email address, birthday, and password," Horejsi explained.

After the target provides this info, the attacker steals the profile and begins creating and posting malicious ads for an AI photo editor with links to a fake domain that uses the name of a legitimate tool, such as Evoto.

"The fake photo editor web page looks very similar to the original one, which helps in tricking the victim into thinking that they are downloading a photo editor," Horejsi wrote.

However, what a user who takes the bait actually downloads is the freely available ITarian endpoint management software. The attacker, using a series of back-end processes controls, ultimately controls the victim's machine to download the final payload, the Lumma stealer.

**Avoiding Compromise**

There are a number of ways that people can avoid falling victim to the campaign and threats that abuse social media pages, which not only can compromise users but also lead to secondary attacks via stolen credentials that act as initial entry into enterprise infrastructure, according to Trend Micro.

Social-media users should enable multifactor authentication on all their accounts to add an extra layer of protection against unauthorized access, as well as regularly update and use strong, unique passwords across all accounts.

Organizations also should regularly practice education and awareness to let their employees know of the dangers lurking on social media while accessing corporate networks, as well as how to identify suspicious messages and links associated with phishing attacks.

Finally, both organizations and individual users should monitor their accounts for any unusual behavior, such as unexpected login attempts or changes to account information. Organizations should employ some kind of detection and response mechanisms.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Attackers Hijack Facebook Pages, Promote Malicious AI Photo Editor

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.
"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team

Data Encryption / Browser Security

Google has announced that it's adding a new layer of protection to its Chrome browser through what's called app-bound encryption to prevent information-stealing malware from grabbing cookies on Windows systems.

"On Windows, Chrome uses the Data Protection API (DPAPI) which protects the data at rest from other users on the system or cold boot attacks," Will Harris from the Chrome security team said. "However, the DPAPI does not protect against malicious applications able to execute code as the logged in user – which info-stealers take advantage of."

App-bound encryption is an improvement over DPAPI in that it interweaves an app's identity (i.e., Chrome in this case) into encrypted data to prevent another app on the system from accessing it when decryption is attempted.

"Because the app-bound service is running with system privileges, attackers need to do more than just coax a user into running a malicious app," Harris said. "Now, the malware has to gain system privileges, or inject code into Chrome, something that legitimate software shouldn't be doing."

Given that the method strongly binds the encryption key to the machine, it will not function correctly in environments where Chrome profiles roam between multiple machines. Organizations that support roaming profiles are encouraged to follow its best practices and configure the ApplicationBoundEncryptionEnabled policy.

The change, which went live last week with the release of Chrome 127, applies only to cookies, although Google said it intends to expand this protection to passwords, payment data, and other persistent authentication tokens.

Back in April, the tech giant outlined a technique that employs a Windows event log type called DPAPIDefInformationEvent to reliably detect access to browser cookies and credentials from another application on the system.

It's worth noting that the web browser secures passwords and cookies in Apple macOS and Linux systems using Keychain services and system-provided wallets such as kwallet or gnome-libsecret, respectively.

The development comes amid a slew of security improvements added to Chrome in recent months, including enhanced Safe Browsing, Device Bound Session Credentials (DBSC), and automated scans when downloading potentially suspicious and malicious files.

"App-bound encryption increases the cost of data theft to attackers and also makes their actions far noisier on the system," Harris said. "It helps defenders draw a clear line in the sand for what is acceptable behavior for other apps on the system."

It also follows Google's announcement that it no longer plans to deprecate third-party cookies in Chrome, prompting the World Wide Web Consortium (W3C) to reiterate that they enable tracking and that the decision undermines the progress achieved so far to make the web work without third-party cookies.

"Tracking and subsequent data collection and brokerage can support micro-targeting of political messages, which can have a detrimental impact on society," it said. "The unfortunate climb-down will also have secondary effects, as it is likely to delay cross-browser work on effective alternatives to third-party cookies."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google Chrome Adds App-Bound Encryption to Protect Cookies from Malware

Significant upcoming legislation promises to tighten the screws on cyber incident response in Australia, mirroring CIRCIA in the US.

Source: Bonaventura via Alamy Stock Photo

Australian companies may soon have to disclose to the government any ransom payments they surrender to ransomware attackers.

It wasn't so long ago that Australia's government was considering an outright ban on ransom payments across the country. That idea didn't survive, but a slightly softer rule was floated in a national cybersecurity strategy document published last November. In just a single sentence buried deep in that document, the government signaled its intention that "To stay ahead of the threat, we will co-design with industry options to legislate a no-fault, no-liability ransomware reporting obligation for businesses."

That obligation seems to be part of the country's upcoming Cyber Security Act, which is expected to be brought before parliament during its next sitting in just a couple of weeks' time.

Following an interview with Clare O'Neil — who, until Monday, was Australia's Minister for Home Affairs — the Australian Broadcasting Corporation (ABC) reported that businesses making more than $3 million AUD ($1.96 million US) in annual revenue will be forced to report their ransom payments. However, the fines for noncompliance are purportedly just $15,000.

Dark Reading has contacted Australia's Department of Home Affairs to confirm reports about the new rule.

"The goal with such laws is to allow governments to have insight into funds going to bad actors, in order to be able to track those payments and hopefully bring criminals to justice," explains Beth Burgin Waller, chair of the Cybersecurity & Data Privacy practice at Woods Rogers Vandeventer Black (WRVB).

In Australia's case, "The proposed bill appears to mirror what we are seeing in the United States from CIRCIA (the Cyber Incident Reporting for Critical Infrastructure Act of 2022), which requires that covered entities report ransom payments within 24 hours of making a ransom payment to CISA," she explains. "The Australian proposed law is broader, though, in the sense that it appears to be for any business making a ransom payment, whereas it appears CIRCIA covers only 'covered entities,' which the current proposed CIRCIA regulations broadly define."

**Will Forcing Ransom Disclosure Work?**

Australia has been rocked by some major cyberattacks in recent years. In 2022, a breach of millions of consumer records struck the telecommunications company Optus. Shortly thereafter, a case of similar scope hit the health insurance provider Medibank. Last year, a cyber disruption downed four core ports around the country for a weekend. And there have been more.

The toll to Australia's economy has been significant. As former minister O'Neil noted in a forward to the 2023–2030 Australian Cyber Security Strategy, a cyber incident is reported to the government every six minutes. (Of course, that doesn't include all the incidents that don't get reported.) Ransomware, meanwhile, is responsible for $3 billion worth of damage to Aussie organizations annually, and cyberattack costs are rising 14% per annum.

Any hard and fast rules that help curb the problem inevitably affect different organizations differently. On one hand there are larger companies, which can handle the costs involved and stand to benefit the most from clearer regulations.

"With laws like this popping up locally across the globe, it creates a patchwork quilt of compliance for multi-national organizations with perhaps a headquarters in the United States but significant operations in Australia," Waller says.

Smaller organizations, meanwhile, have fewer resources to dedicate to cybersecurity, and less money to pay fines when they fall short. According to ABC, the Australian Chamber of Commerce and Industry (ACCI) trade organization supports parts of the upcoming Cyber Security Act, but proposes that the minimum revenue threshold for businesses affected by the reporting rule should be $10 million.

**Incentive for Stronger Cyber Defenses**

The hope, regardless, is that any potential negative side effects will be outweighed by greater visibility for law enforcement, and more effective incentives for companies to better themselves.

"Mandatory disclosures may prompt a reassessment of corporate practices regarding negotiations with cybercriminals," says Anne Cutler, cybersecurity evangelist at Keeper Security. "With the knowledge they must disclose any ransom payments, business leaders may be persuaded to invest more heavily in preventive measures and robust incident response plans to avoid the financial and reputational scrutiny that comes with public disclosure."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Australian Companies Will Soon Need to Report Ransom Payments

Malicious actors could potentially exploit this vulnerability if they gain physical access to a user's device.

Source: Anatolii Babii via Alamy Stock Photo

Apple released updates for a variety of its products to patch recent vulnerabilities found in Siri, the Apple iOS digital assistant.

The vulnerabilities could allow an attacker to steal information through a locked device because when a device is locked, there are still voice commands that the digital assistant can process and may allow access to contacts and other sensitive data.

In its latest round of fixes, Apple restricted these options to prevent malicious actors from exploiting the vulnerability, even if they have physical access to a device.

In addition to the iPhone, the company patched a similar vulnerability in Apple Watch, iOS, iPadOS, and the macOS Ventura.

Users should update to the latest software version of iOS and iPadOS, iOS 17.6, or iPadOS 17.6, to mitigate these bugs by going to settings, general, and then software update.

**About the Author(s)**

Siri Bug Enables Data Theft on Locked Apple Devices

A binary in Apple macOS could allow an adversary to execute an arbitrary binary that bypasses SIP.

Wednesday, July 31, 2024 12:00

Cisco Talos’ Vulnerability Research team has helped to disclose and patch six new vulnerabilities over the past three weeks, including one in a driver that powers certain NVIDIA graphics cards.  

The majority of the vulnerabilities that Talos disclosed during this period exist in Ankitects Anki, an open-source program that allows users to study information using flashcards. The most serious of these issues has a CVSS score of 9.6 out of 10. 

All the vulnerabilities mentioned in this blog post have been patched by their respective vendors, all in adherence to Cisco’s third-party vulnerability disclosure policy. 

For Snort coverage that can detect the exploitation of these vulnerabilities, download the latest rule sets from Snort.org, and our latest Vulnerability Advisories are always posted on Talos Intelligence’s website. 

**Out-of-bounds read vulnerability in NVIDIA GPU Compiler Driver **

_Discovered by Piotr Bania._ 

A compiler driver in some NVIDIA graphics cards contains an out-of-bounds read vulnerability that could allow an adversary to read an arbitrary memory region. 

An adversary could exploit TALOS-2024-1956 (CVE-2024-0107) by sending a targeted device a specially crafted executable/shader file, leading to an out-of-bounds read. 

This vulnerability could be triggered from guest machines running virtualization environments to perform a guest-to-host escape — as previously demonstrated in other GPU vulnerabilities like TALOS-2018-0533. 

Talos researchers were able to trigger this vulnerability from a Hyper-V guest using the RemoteFX feature, which led to being able to execute the vulnerable code on the Hyper-V host. While Microsoft has deprecated RemoteFX, this feature may still be present in older versions of the Windows operating system. 

**Multiple vulnerabilities in Ankitects Anki flashcard software **

_Discovered by Autumn Bee Skerritt of Cisco Duo Security and Jacob B._ 

The Ankitects Anki flashcard software contains multiple vulnerabilities, one of which could lead to arbitrary code execution. This open-source tool allows users to create and share flashcards to study information.  

An adversary could exploit all these vulnerabilities by sharing a specially crafted, malicious flashcard with a targeted user.  

TALOS-2024-1994 (CVE-2024-32152) could lead to the creation of an arbitrary file along a fixed path. This vulnerability exists because a malicious user could manipulate a blocklist that normally prevents the use of certain malicious commands.  

TALOS-2024-1992 (CVE-2024-29073) also involves manipulating the command blocklist, but in this case, could lead to arbitrary file read. 

An adversary could also exploit TALOS-2024-1995 (CVE-2024-32484), a cross-site scripting vulnerability, in the software to inject JavaScript code into a flashcard and read a normally inaccessible file.  

The most serious among this group of vulnerabilities is TALOS-2024-1993 (CVE-2024-26020), a script injection vulnerability that could lead to arbitrary code execution. This vulnerability has a CVSS score of 9.6 out of 10. In Talos’ testing, researchers could exploit this vulnerability to obtain full command injection on the targeted user’s system.

Out-of-bounds read vulnerability in NVIDIA driver; Open-source flashcard software contains multiple security issues

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

Posted Jul 31, 2024

Authored by indoushka

AccPack Khanepani version 1.0 suffers from an insecure direct object reference vulnerability.

tags | exploit

SHA-256 | 760d2e5184238b42e8f1ba299d632f9a683af578d5af3fd433dd135eb0ceb06b

Download | Favorite | View

**AccPack Khanepani 1.0 Insecure Direct Object Reference**

    =============================================================================================================================================| # Title     : AccPack Khanepani v1.0 IDOR Vulnerability                                                                                   || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 125.0.1 (64 bits)                                                            || # Vendor    : http://webpay.com.np/#Product                                                                                               |=============================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] Insecure Direct Object Reference : leads to the creation of a new file in the list.[+] use payload : cms/gallery/insert.php[+] http://127.0.0.1/jamiatulamanepalorgnp/cms/gallery/insert.phpGreetings to :============================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * CraCkEr |==========================================================================

**File Tags**

*   ActiveX (933)
*   Advisory (86,223)
*   Arbitrary (16,842)
*   BBS (2,859)
*   Bypass (1,855)
*   CGI (1,033)
*   Code Execution (7,784)
*   Conference (691)
*   Cracker (844)
*   CSRF (3,384)
*   DoS (25,024)
*   Encryption (2,389)
*   Exploit (53,098)
*   File Inclusion (4,257)
*   File Upload (990)
*   Firewall (822)
*   Info Disclosure (2,885)
*   Intrusion Detection (914)
*   Java (3,141)
*   JavaScript (896)
*   Kernel (7,184)
*   Local (14,788)
*   Magazine (586)
*   Overflow (13,165)
*   Perl (1,435)
*   PHP (5,221)
*   Proof of Concept (2,381)
*   Protocol (3,724)
*   Python (1,631)
*   Remote (31,625)
*   Root (3,633)
*   Rootkit (526)
*   Ruby (631)
*   Scanner (1,657)
*   Security Tool (8,024)
*   Shell (3,273)
*   Shellcode (1,217)
*   Sniffer (902)
*   Spoof (2,275)
*   SQL Injection (16,594)
*   TCP (2,440)
*   Trojan (690)
*   UDP (904)
*   Virus (669)
*   Vulnerability (32,921)
*   Web (9,953)
*   Whitepaper (3,781)
*   x86 (967)
*   XSS (18,239)
*   Other

**File Archives**

*   July 2024
*   June 2024
*   May 2024
*   April 2024
*   March 2024
*   February 2024
*   January 2024
*   December 2023
*   November 2023
*   October 2023
*   September 2023
*   August 2023
*   Older

**Systems**

*   AIX (429)
*   Apple (2,099)
*   BSD (377)
*   CentOS (58)
*   Cisco (1,927)
*   Debian (7,084)
*   Fedora (1,693)
*   FreeBSD (1,246)
*   Gentoo (4,534)
*   HPUX (880)
*   iOS (378)
*   iPhone (108)
*   IRIX (220)
*   Juniper (69)
*   Linux (50,580)
*   Mac OS X (691)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (489)
*   RedHat (16,432)
*   Slackware (941)
*   Solaris (1,611)
*   SUSE (1,444)
*   Ubuntu (9,710)
*   UNIX (9,432)
*   UnixWare (187)
*   Windows (6,668)
*   Other

AccPack Khanepani 1.0 Insecure Direct Object Reference

Apple has released security updates that patch vulnerabilities in Siri and VoiceOver that could be used to access sensitive user data.

Apple has released security updates for many of its products in order to patch several vulnerabilities that could allow an attacker to steal sensitive information from a locked device.

Included in the patches for Apple Watch, iOS, and iPadOS are four vulnerabilities in Siri. While your device is locked there are several voice-commands your digital assistant can process.

Apple has restricted these options to stop an attacker with physical access from being able to access contacts from the lock screen and access other sensitive user data. Using Siri on a locked device has limitations to protect your privacy and security, and the digital assistant should only be able to perform tasks that do not require access to sensitive data locked behind the device’s security systems, such as Face ID or a passcode.

A similar vulnerability was also patched in the VoiceOver component in Apple Watch, iOS, iPadOS, and macOS Ventura. To check whether VoiceOver is on or off on your iPhone or iPad, you can check by looking at **Settings > Accessibility > VoiceOver**.

To check if you’re using the latest software version of iOS and iPadOS, go to **Settings** > **General** > **Software Update**. You want to be on iOS 17.6 or iPadOS 17.6, so update now if you’re not. It’s also worth turning on Automatic Updates if you haven’t already. You can do that on the same screen.

iPad Software update is available

Here’s an overview of the available updates for the various Apple products:

Name:

Available for:

Safari 17.6

macOS Monterey and macOS Ventura

iOS 17.6 and iPadOS 17.6

iPhone XS and later, iPad Pro 13-inch, iPad Pro 12.9-inch 2nd generation and later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation and later, iPad Air 3rd generation and later, iPad 6th generation and later, and iPad mini 5th generation and later

iOS 16.7.9 and iPadOS 16.7.9

iPhone 8, iPhone 8 Plus, iPhone X, iPad 5th generation, iPad Pro 9.7-inch, and iPad Pro 12.9-inch 1st generation

macOS Sonoma 14.6

macOS Sonoma

macOS Ventura 13.6.8

macOS Ventura

macOS Monterey 12.7.6

macOS Monterey

watchOS 10.6

Apple Watch Series 4 and later

tvOS 17.6

Apple TV HD and Apple TV 4K (all models)

visionOS 1.3

Apple Vision Pro

iOS 15.8.3 and iPadOS 15.8.3

iPhone 6s (all models), iPhone 7 (all models), iPhone SE (1st generation), iPad Air 2, iPad mini (4th generation), and iPod touch (7th generation)

Apple also patched the regreSSHion vulnerability that allows unauthenticated Remote Code Execution (RCE) in OpenSSH.

For beta testers Apple also released the first beta of iOS 18.1 to developers. This update is available for iPhone 15 Pro and iPhone 15 Pro Max and includes the first set of Apple Intelligence features, such as Writing Tools, new features for Mail and notifications, upgrades to Photos, and more.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 Apple fixes Siri vulnerabilities that could have allowed sensitive data theft from locked device. Update now! 

With sufficient privileges in Active Directory, attackers only have to create an "ESX Admins" group in the targeted domain and add a user to it.

Source: Schoening via Alamy Stock Photo

Multiple ransomware groups have been weaponizing an authentication bypass bug in VMware ESXi hypervisors to quickly deploy malware across virtualized environments.

VMware assigned the bug (CVE-2024-37085) a "medium" 6.8 out of 10 score on the CVSS scale. The average score is largely due to the fact that it requires an attacker to have existing permissions in a target's Active Directory (AD).

If they do have AD access, however, attackers can cause significant damage. With no technical trickery whatsoever, they can use CVE-2024-37085 to instantly scale up their ESXi privileges to the max, opening the door to ransomware deployment, data exfiltration, lateral movement, and more. Groups like Storm-0506 (aka Black Basta), Storm-1175, Manatee Tempest (part of Evil Corp), and Octo Tempest (aka Scattered Spider) have already tried it out, deploying ransomware such as Black Basta and Akira.

Broadcom recently published a fix, available on its website.

**How CVE-2024-37085 Works**

Some organizations configure their ESXi hypervisors to use AD for user management. It turns out that by doing this, organizations were exposing themselves to something unexpected. By default, ESXi hypervisors granted full administrative access to any member of an AD domain group named "ESX Admins."

It's unclear how the "ESX Admins" group vulnerability was introduced into ESXi in the first place—Broadcom declined to clarify when Dark Reading reached out on the question. As Microsoft noted in a blog post, there's no particular reason why the hypervisor should have expected such a domain group, or have had a rule for what to do with it. "This group is not a built-in group in Active Directory and does not exist by default. ESXi hypervisors do not validate that such a group exists when the server is joined to a domain and still treats any members of a group with this name with full administrative access, even if the group did not originally exist," the threat intel team wrote. "Additionally, the membership in the group is determined by name and not by security identifier (SID)."

Exploiting CVE-2024-37085 was entirely trivial. So long as an attacker had sufficient privileges in AD, all they'd have to do to gain ESXi admin privileges was to create an "ESX Admins" group in the targeted domain and add a user to it. They could also rename any existing group to "ESX Admins," and either wield one of its existing users or add a new one.

**The Risk with Hypervisors**

"Ransomware attacks targeting ESXi and VMs are increasingly common, especially since around 2020, when enterprises increased their move toward digital transformation and took advantage of modern hybrid cloud and virtualized on-premise environments," explains Jason Soroko, senior vice president of product at Sectigo.

For all the business sense they make, virtualized environments also afford hackers unique benefits. Hypervisors tend to run many VMs at once, making them a one-stop shop for blasting ransomware as widely as possible, and those VMs often host critical services and business data.

Their utility to hackers makes it all the more troubling that, as Microsoft noted in its blog, security products have limited visibility and protections for hypervisors. This, Soroko explains, is "due to their isolation, complexity, and the specialized knowledge required for their protection. This isolation makes it difficult for traditional security tools to monitor and protect the entire environment, and API integration limits further exacerbate this issue."

To cover for these shortcomings, Microsoft highlighted the importance of keeping up to date with patches, and practicing broader cyber hygiene around critical and vulnerable assets. "Attackers love using the path of least resistance that provides maximum opportunity," Soroko notes, adding that ransomware actors will only target these systems more and more in the future.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs

Apple Security Advisory 07-29-2024-9 - visionOS 1.3 addresses bypass, information leakage, integer overflow, out of bounds access, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-07-29-2024-9 visionOS 1.3

visionOS 1.3 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214123.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: Apple Vision Pro  
Impact: A local attacker may be able to cause unexpected system shutdown  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27826: Ye Zhang (@VAR10CK) of Baidu Security and Minghao Lin

AppleAVD  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-27804: Meysam Firouzi (@R00tkitSMM)

CoreGraphics  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40799: D4m0n    

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may lead to a denial-of-service  
Description: This is a vulnerability in open source code and Apple  
Software is among the affected projects. The CVE-ID was assigned by a  
third party. Learn more about the issue and CVE-ID at cve.org.  
CVE-2023-6277  
CVE-2023-52356

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds read issue was addressed with improved  
input validation.  
CVE-2024-40806: Yisumi

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40777: Junsung Lee working with Trend Micro Zero Day  
Initiative, and Amir Bazine and Karsten König of CrowdStrike Counter  
Adversary Operations

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted file may lead to unexpected app  
termination  
Description: An integer overflow was addressed with improved input  
validation.  
CVE-2024-40784: Junsung Lee working with Trend Micro Zero Day Initiative  
and Gandalf4a

Kernel  
Available for: Apple Vision Pro  
Impact: A local attacker may be able to determine kernel memory layout  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-27863: CertiK SkyFall Team

Kernel  
Available for: Apple Vision Pro  
Impact: An attacker in a privileged network position may be able to  
spoof network packets  
Description: A race condition was addressed with improved locking.  
CVE-2024-27823: Prof. Benny Pinkas of Bar-Ilan University, Prof. Amit  
Klein of Hebrew University, and EP

Kernel  
Available for: Apple Vision Pro  
Impact: A local attacker may be able to cause unexpected system shutdown  
Description: A type confusion issue was addressed with improved memory  
handling.  
CVE-2024-40788: Minghao Lin and Jiaxun Zhu from Zhejiang University

Shortcuts  
Available for: Apple Vision Pro  
Impact: A shortcut may be able to bypass Internet permission  
requirements  
Description: A logic issue was addressed with improved checks.  
CVE-2024-40809: an anonymous researcher  
CVE-2024-40812: an anonymous researcher

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A use-after-free issue was addressed with improved memory  
management.  
WebKit Bugzilla: 273176  
CVE-2024-40776: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 268770  
CVE-2024-40782: Maksymilian Motyl

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
WebKit Bugzilla: 275431  
CVE-2024-40779: Huang Xilin of Ant Group Light-Year Security Lab  
WebKit Bugzilla: 275273  
CVE-2024-40780: Huang Xilin of Ant Group Light-Year Security Lab

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to a cross  
site scripting attack  
Description: This issue was addressed with improved checks.  
WebKit Bugzilla: 273805  
CVE-2024-40785: Johan Carlsson (joaxcar)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-40789: Seunghyun Lee (@0x10n) of KAIST Hacking Lab working with  
Trend Micro Zero Day Initiative

Additional recognition

AirDrop  
We would like to acknowledge Linwz of DEVCORE for their assistance.

Shortcuts  
We would like to acknowledge an anonymous researcher for their  
assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/HT214009  To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.  
All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmaoIKEACgkQX+5d1TXa  
IvrPMhAAvJRTT2vBEmsCe8fWRLfDlgrh95ubjnuQ0VJ+dbM2MrdUXZr/bueevkhJ  
K8bCqDg19hqeWStGG2FoVB0lThZOiS7BIBYyNmfKKyID25dXKUUGVSluLTATOFCs  
YVruEya71fuY4JAFI6c6S2rCfbTDLS0/8Iq72LQX/umUo5DD9YX/fBgKA7ji6KML  
49cOpRpT6xG2OYEFG+GQw4p8/ha4Dg1QSPhSgYs1n0iwv2Al5siedmhxT+j8Xnof  
O0Wo54q+e7lIMTQaj8SLKh2zysYpHGNREaUIfGKCyr0FuJCEkWdGNaMlNeqI602z  
CYVnLLr3H0tcOGSQtmlUodPQEjunGs3j1AUkZuezagHZzqmR1Tlh4tt3tx3s0B3+  
nxIoA2ejJH6no5gvaOFZmc8MgUgwL0/LO/GRm6Ow9lu9N8Bbey34s5h4bnn78/M+  
W11upSvy6j2C7Nz5n6KgySSmj3sx0AGw199+MoR3iu1+3dGt332CYCIzDI/9WJTg  
sdVFJD7ZLLSjt2lDD5FkJqoAy1kkTqi9eSsbOVlfYEgBvUr4zvvL8mNgx1/l6mFH  
9w+rOTo1inMKLwwtPuqJQhEq0uUSY7LcAjIqUBmPWu1PENpeGIOQaSNxkL35SGkB  
6lAKhD6YpkFIrwzuGMtfD9wwPC4OK48BfOV5YMNH4YLT0G4RjMQ=  
=E3LP  
-----END PGP SIGNATURE-----

Tag

#apple