Apple thwarts NSO’s spyware, the rise of a GPT-4 black market, Russia targets Starlink internet connections, and more.

Employees of the US Immigration and Customs Enforcement agency (ICE) abused law enforcement databases to snoop on their romantic partners, neighbors, and business associates, WIRED exclusively revealed this week. New data obtained through record requests show that hundreds of ICE staffers and contractors have faced investigations since 2016 for attempting to access medical, biometric, and location data without permission. The revelations raise further questions about the protections ICE places on people’s sensitive information.

Security researchers at ESET found old enterprise routers are filled with company secrets. After purchasing and analyzing old routers, the firm found many contained login details for company VPNs, hashed root administrator passwords, and details of who the previous owners were. The information would make it easy to impersonate the business that owned the router originally. Sticking with account security: The race to replace all your passwords with passkeys is entering a messy new phase. Adoption of the new technology faces challenges getting off the ground.

The supply chain breach of 3CX, a VoIP provider that was compromised by North Korean hackers, is coming into focus, and the attack appears to be more complex than initially believed. Google-owned security firm Mandiant said 3CX was initially compromised by a supply chain attack before its software was used to further spread malware.

Also this week, it emerged that the notorious LockBit ransomware gang is developing malware that aims to encrypt Macs. To date, most ransomware has focused on machines running Windows or Linux, not devices made by Apple. If LockBit is successful, it could open up a new ransomware frontier—however, at the moment, the ransomware doesn’t appear to work.

With the rise of generative AI models, like ChatGPT and Midjourney, we’ve also looked at how you can guard against AI-powered scams. And a hacker who compromised the Twitter account of right-wing commentator Matt Walsh said they did so because they were “bored.”

But that’s not all. Each week, we round up the stories we didn’t report in-depth ourselves. Click on the headlines to read the full stories. And stay safe out there.

Car thieves are using a series of small hacking tools—sometimes hidden in Nokia 3310 phones or Bluetooth speakers—to break into and steal vehicles. This week, a report from Motherboard detailed how criminals are using controller area network (CAN) injection attacks to steal cars without having access to their keys. Security researchers say criminals first have to detach a car's headlights and then connect the hacking tool with two cables. Once connected, it can send fake messages to the car that look like they are originating from the car's wireless keys, and allow it to be unlocked and started.

Motherboard reports the hacking devices are being sold online and in Telegram channels for between $2,700 and $19,600, a potentially small price when trying to steal luxury cars. Security researchers at Canis Labs first detailed the issue after one car was stolen using the technique. Advertisements claim the tools can work on vehicles made by Toyota, BMW, and Lexus. The security researchers say encrypting traffic sent in CAN messages would help to stop the attacks.

In recent years, NSO Group’s Pegasus spyware has been used to target political leaders, activists, and journalists around the world, with experts describing the technology as being as powerful as the capabilities of the most elite hackers. In response to the sophisticated spyware, Apple released Lockdown Mode last year, which adds extra security protections to iPhones and limits how successful spyware could be. Now, new research from the University of Toronto’s Citizen Lab has found that Apple’s security measures are working. Cases reviewed by Citizen Lab showed that iPhones running Lockdown Mode have blocked hacking attempts linked to NSO’s software and sent notifications to the phones’ owners. The research found three new “zero-click” exploits that could impact iOS 15 and iOS 16, which had been targeted at members of Mexico’s civil society. Lockdown mode detected one of these attacks in real time.

Since OpenAI released GPT-4 in March, people have clamored to get their hands on the text-generating system. This, perhaps unsurprisingly, includes cybercriminals. Analysts at security firm Check Point have discovered a burgeoning market for the sale of login details for GPT-4. The company says that since the start of March, it has seen an “increase in discussion and trade of stolen ChatGPT accounts.” This includes criminals swapping premium ChatGPT accounts and brute-forcing their way into accounts by guessing email logins and passwords. The efforts could in theory help people in Russia, Iran, and China to access OpenAI’s system, which is currently blocked in those nations.

Russia has been trying to control Ukraine's internet access and media since Vladimir Putin launched his full-scale invasion in February 2022. Sensitive US documents leaked on Discord now show that Russian forces have been experimenting with an electronic warfare system, called Tobol, to disrupt internet connections from Elon Musk's Starlink satellite system. According to the _The Washington Post_, the Russian Tobol system appears to be more advanced than previously thought, although it is not clear if it has actually disrupted internet connections. Analysts initially believed Tobol was designed for defensive purposes but have since concluded it could also be used for offensive purposes, disrupting signals as they are sent from the ground to satellites orbiting the Earth.

For the last four years, politicians in the UK have been drafting laws designed to regulate the internet—first in the guise of an online harms law, which has since morphed into the Online Safety Bill. It's been a particularly messy process—often trying to deal with a dizzying range of online activities—but its impact on end-to-end encryption is alarming technology firms. This week, WhatsApp, Signal, and the companies behind five other encrypted chat apps signed an open letter saying the UK’s plans could effectively ban encryption, which keeps billions of people's conversations private and secure. (Only the sender and receiver can view end-to-end encrypted messages; the companies that own the messengers don't have access). “The Bill poses an unprecedented threat to the privacy, safety and security of every UK citizen and the people with whom they communicate around the world, while emboldening hostile governments who may seek to draft copy-cat laws,” the companies say in the letter.

Criminals Are Using Tiny Devices to Hack and Steal Cars

NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2022‑42274

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42280

NVIDIA BMC contains a vulnerability in the SPX REST authorization handler, where an unauthorized user can exploit a path traversal, which may lead to escalation of privileges.

7.1

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42282

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can access arbitrary files, which may lead to information disclosure.

6.5

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVE‑2022‑42283

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker with the required privileges can cause a buffer overflow, which may lead to denial of service or code execution.

6.4

AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42286

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, or escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

CVE‑2022‑42287

NVIDIA BMC contains a vulnerability in the IPMI handler, where an attacker can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, or data tampering.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N

CVE‑2022‑42289

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2022‑42290

NVIDIA BMC contains a vulnerability in the SPX REST API, where an attacker with the required privileges can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, or data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑0200

NVIDIA DGX-2 contains a vulnerability in OFBD where a user with high privileges and a pre-conditioned heap can cause an access beyond a buffers end, which may lead to code execution, escalation of privileges, denial of service, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0201

NVIDIA DGX-2 SBIOS contains a vulnerability in Bds, where a user with high privileges can cause a write beyond the bounds of an indexable resource, which may lead to code execution, denial of service, compromised integrity, and information disclosure.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑0202

NVIDIA DGX A100 SBIOS contains a vulnerability where an attacker may modify arbitrary memory of SMRAM by exploiting the GenericSio and LegacySmmSredir SMM APIs. A successful exploit of this vulnerability may lead to denial of service, escalation of privileges, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0206

NVIDIA DGX A100 SBIOS contains a vulnerability where an attacker may modify arbitrary memory of SMRAM by exploiting the NVME SMM API. A successful exploit of this vulnerability may lead to denial of service, escalation of privileges, and information disclosure.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑0207

NVIDIA DGX-2 SBIOS contains a vulnerability where an attacker may modify the ServerSetup NVRAM variable at runtime by executing privileged code. A successful exploit of this vulnerability may lead to denial of service.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA software products affected, versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

**Firmware Container**

CVE‑2022‑42274  
CVE‑2022‑42280  
CVE‑2022‑42282  
CVE‑2022‑42283  
CVE‑2022‑42287  
CVE‑2023‑0200  
CVE‑2023‑0201

DGX-2

DGX-2

All BMC versions prior to 1.08.00

01.08.00

23.3.1

CVE‑2022‑42286  
CVE‑2022‑42289  
CVE‑2022‑42290  
CVE‑2023‑0207

DGX-2

DGX-2

All SBIOS versions prior to 0.33

0.33

23.3.1

CVE‑2023‑0202  
CVE‑2023‑0206

DGX A100

DGX A100

All SBIOS versions prior to 1.18

1.18

22.12.1

**AMI Security Advisory CVEs Addressed**

CVE‑2022‑40259  
CVE‑2022‑40242  
CVE‑2022‑2827

DGX Station A100

DGX Station A100

All BMC versions prior to 2.01.00

2.01.00

23.3.1

**Additional Information****Security Vulnerabilities Reported by AMI**

The following table lists potential security vulnerabilities in some AMI MegaRAC SP-X Baseboard Management Controllers that have been reported by AMI. These vulnerabilities may allow user enumeration, unauthorized access, or arbitrary code execution.

**CVE ID**

**Severity**

**Summary**

CVE‑2022‑40259

Critical

AMI MegaRAC Redfish Arbitrary Code Execution

CVE‑2022‑40242

High

MegaRAC Default Credentials Vulnerability

CVE‑2022‑2827

High

AMI MegaRAC User Enumeration Vulnerability

The following table lists the status of the NVIDIA response to these vulnerabilities for each NVIDIA DGX system.

**System**

**Status**

DGX-1

Not vulnerable - no response required

DGX-2

Not vulnerable - no response required

DGX A100

To be addressed in May 2023 as stated in NVIDIA DGX A100 Server and DGX Station A100 - December 2022

DGX Station

Not vulnerable - no response required

DGX Station A100

Addressed in this update

**Security Vulnerabilities Reported by Intel**

The following table lists potential security vulnerabilities in some Intel Processors that have been reported by Intel. These vulnerabilities may allow escalation of privileges or denial of service. They are addressed in DGX-2 SBIOS release version 0.33.

**CVE ID**

**Severity**

**Summary**

CVE‑2020‑12357

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑8670

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑8700

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑12359

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑12358

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE‑2021‑0095

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE‑2020‑12360

Medium

Intel(R) Processors Privilege Escalation Vulnerability

CVE‑2020‑24486

Medium

Intel(R) Processors Denial of Service Vulnerability

**Acknowledgements**

CVE‑2022‑42274, CVE‑2022‑42280, CVE‑2022‑42282, CVE‑2022‑42283, CVE‑2022‑42286, CVE‑2022‑42287, CVE‑2022‑42289, CVE‑2022‑42290: The NVIDIA Offensive Security Research (OSR) team reported these issues.

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.0

March 23, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-0207: NVIDIA Support

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

**Details**

This section provides a summary of potential vulnerabilities that this security update addresses and their impact. Descriptions use CWE™, and base scores and vectors use CVSS v3.1 standards.

**CVE ID**

**Description**

**Base Score**

**Vector**

CVE‑2023‑0209

NVIDIA DGX-1 SBIOS contains a vulnerability in the Uncore PEI module, where authentication of the code executed by SSA is missing, which may lead to arbitrary code execution, denial of service, escalation of privileges, information disclosure, data tampering, and SecureBoot bypass.

8.2

AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25505

NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler of the AMI MegaRAC BMC, where an attacker with the appropriate level of authorization can cause a buffer overflow, which may lead to denial of service, information disclosure, or arbitrary code execution.

7.8

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25506

NVIDIA DGX-1 contains a vulnerability in Ofbd in AMI SBIOS, where a preconditioned heap can allow a user with elevated privileges to cause an access beyond the end of a buffer, which may lead to code execution, escalation of privileges, denial of service and information disclosure. The scope of the impact of this vulnerability can extend to other components.

7.5

AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

CVE‑2023‑25507

NVIDIA DGX-1 BMC contains a vulnerability in the SPX REST API, where an attacker with the appropriate level of authorization can inject arbitrary shell commands, which may lead to code execution, denial of service, information disclosure, and data tampering.

7.2

AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25508

NVIDIA DGX-1 BMC contains a vulnerability in the IPMI handler, where an attacker with the appropriate level of authorization can upload and download arbitrary files under certain circumstances, which may lead to denial of service, escalation of privileges, information disclosure, and data tampering.

6.7

AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CVE‑2023‑25509

NVIDIA DGX-1 SBIOS contains a vulnerability in Bds, which may lead to code execution, denial of service, and escalation of privileges.

6.0

AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H

The NVIDIA risk assessment is based on an average of risk across a diverse set of installed systems and may not represent the true risk to your local installation. NVIDIA recommends consulting a security or IT professional to evaluate the risk to your specific configuration.

**Security Updates**

The following table lists the NVIDIA server products affected, firmware versions affected, and the updated version that includes this security update.

To protect your system, download and install this firmware update through the NVIDIA Enterprise Support Portal.

**CVE IDs Addressed**

**Hardware Platform**

**System**

**Affected Versions**

**Updated Version**

CVE‑2023‑25505  
CVE‑2023‑25508  
CVE‑2023‑25507

NVIDIA DGX-1 Servers

DGX-1

All BMC versions prior to 3.39.3

3.39.30

CVE‑2023‑0209  
CVE‑2023‑25506  
CVE‑2023‑25509

NVIDIA DGX-1 Servers

DGX-1

All SBIOS prior to S2W\_3A13

S2W\_3A13

**Notes**

*   Upgrade the NVIDIA DGX-1 firmware container to version 23.04.01 to get the updated firmware and SBIOS version listed in the table above. Firmware updates are available through the NVIDIA Enterprise Support Portal.

**Additional Information: Security Vulnerabilities Reported by Intel**

The following table lists potential security vulnerabilities in some Intel processors that have been reported by Intel. These vulnerabilities may allow escalation of privileges or denial of service. They are addressed in DGX-1 SBIOSS2W\_3A13.

**CVE ID**

**Severity**

**Summary**

CVE-2020-12357

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-8670

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-8700

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-12359

High

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-12358

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE-2021-0095

Medium

Intel(R) Processors Denial of Service Vulnerability

CVE-2020-12360

Medium

Intel(R) Processors Privilege Escalation Vulnerability

CVE-2020-24486

Medium

Intel(R) Processors Denial of Service Vulnerability

**Get the Most Up to Date Product Security Information**

Visit the NVIDIA Product Security page to

*   Subscribe to security bulletin notifications
*   See the current list of NVIDIA security bulletins
*   Report a potential security issue in any NVIDIA supported product
*   Learn more about the vulnerability management process followed by the NVIDIA Product Security Incident Response Team (PSIRT)

**Revision History**

  

**Revision**

**Date**

**Description**

1.1

April 19, 2023

Modified CVE-2023-0209 description.

1.0

April 19, 2023

Initial release

**Support**

If you have any questions about this security bulletin, contact NVIDIA Support.

**Disclaimer**

ALL NVIDIA INFORMATION, DESIGN SPECIFICATIONS, REFERENCE BOARDS, FILES, DRAWINGS, DIAGNOSTICS, LISTS, AND OTHER DOCUMENTS (TOGETHER AND SEPARATELY, “MATERIALS”) ARE BEING PROVIDED “AS IS.” NVIDIA MAKES NO WARRANTIES, EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE WITH RESPECT TO THE MATERIALS, AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OR CONDITION OF TITLE, MERCHANTABILITY, SATISFACTORY QUALITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, ARE HEREBY EXCLUDED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

Information is believed to be accurate and reliable at the time it is furnished. However, NVIDIA Corporation assumes no responsibility for the consequences of use of such information or for any infringement of patents or other rights of third parties that may result from its use. No license is granted by implication or otherwise under any patent or patent rights of NVIDIA Corporation. Specifications mentioned in this publication are subject to change without notice. This publication supersedes and replaces all information previously supplied. NVIDIA Corporation products are not authorized for use as critical components in life support devices or systems without express written approval of NVIDIA Corporation.

CVE-2023-25509: NVIDIA Support

Gipsy is a multi-purpose discord bot which aim to be as modular and user-friendly as possible. In versions prior to 1.3 users can run command on the host machine with sudoer permission. The `!ping` command when provided with an IP or hostname used to run a bash `ping <IP>` without verification that the IP or hostname was legitimate. This command was executed with root permissions and may lead to arbitrary command injection on the host server. Users are advised to upgrade. There are no known workarounds for this vulnerability.

@@ -53,43 +53,16 @@ async def hs(self, ctx: MyContext, channel: nextcord.TextChannel = None): await ctx.send(msg)  
@commands.command(name="ping") async def rep(self, ctx: MyContext, ip=None): async def rep(self, ctx: MyContext): """Get bot latency You can also use this command to ping any other server""" if ip is None: m = await ctx.send("Ping...") t = (m.created\_at - ctx.message.created\_at).total\_seconds() try: p = round(self.bot.latency\*1000) except OverflowError: p = "∞" await m.edit(content=":ping\_pong: Pong !\\nBot ping: {}ms\\nDiscord ping: {}ms".format(round(t\*1000), p)) else: asyncio.run\_coroutine\_threadsafe( self.ping\_adress(ctx, ip), asyncio.get\_event\_loop())  
async def ping\_adress(self, ctx: MyContext, ip: str): packages = 30 wait = 0.3 m = await ctx.send("Ping...") t = (m.created\_at - ctx.message.created\_at).total\_seconds() try: try: m = await ctx.send(f"Pinging {ip}...") except: m = None t1 = time.time() param = '-n' if system\_name().lower() == 'windows' else '-c' command = \['ping', param, str(packages), '-i', str(wait), ip\] result = system\_call(command) == 0 except Exception as e: await ctx.send("\`Error:\` {}".format(e)) return if result: t = (time.time() - t1 - wait\*(packages-1))/(packages)\*1000 await ctx.send(await self.bot.\_(ctx.channel, "general.ping-success", time=round(t, 2), ip=ip)) else: await ctx.send(await self.bot.\_(ctx.channel, "general.ping-failed")) if m is not None: await m.delete() p = round(self.bot.latency\*1000) except OverflowError: p = "∞" await m.edit(content=":ping\_pong: Pong !\\nBot ping: {}ms\\nDiscord ping: {}ms".format(round(t\*1000), p))  
@commands.command(name="stats") @commands.cooldown(2, 60, commands.BucketType.guild)

CVE-2023-30621: Fixed error with twitter API token by Leirof · Pull Request #24 · Curiosity-org/Gipsy

While Intel is building more hardware protections directly into the chips, enterprises still need a strategy for applying security updates on these components.

Intel is taking a new tack with its latest commercial PC chips announced last month: Instead of touting speed and performance, the company is emphasizing the chip's security features.

The chip giant has been working with security vendors in recent years to implement hardware-level protections on the chips to protect laptops from ransomware and malware attacks. The new 13th Gen Intel Core vPro processors include under-the-hood improvements at the firmware and operating system levels that boost system protection and management, the company says.

Attackers will find it harder to compromise the firmware through hardware exploits because many of the new upgrades are in the chip's firmware and BIOS, and the chip's security layer contains prevention and detection capabilities. For example, there is a better handshake between the firmware and Microsoft's virtualization technology in Windows 11 to prevent intrusions, says Mike Nordquist, vice president and general manager of Intel Business Client Product Planning and Architecture. He notes that Hyper-V on Windows 11 works with vPro to store secrets and credentials in a virtual container.

"If you only have detection, you keep letting everyone in your front door. You are never really going to address the problem. You have to figure out how to close that front door," Nordquist says.

**Secure Enclaves on Chip**

Intel's vPro now provides the hooks for critical applications running on Windows 11 to be encrypted in memory through a feature called Total Memory Encryption-Multi-Key.

Microsoft provides the ability to encrypt storage drives, but it recently added the ability to encrypt data in memory. Intel's newer Core chips, code-named Raptor Lake, come ready for that feature; they have 16 memory slots in which applications can be encrypted, with separate keys needed to unlock the data.

The feature helps prevent side-channel attacks, which typically involve breaking into a chip and stealing unencrypted data from sources that include memory. Hackers would need a key to unlock the data, and isolating applications in 16 different slots makes it an even bigger challenge to steal data.

Applications are encrypted in virtual machines created in the memory slots, and system administrators can enable or disable the feature.

"We're not encrypting the entirety of the memory, because if you don't need to do it, it is basically going to impact performance," says Venky Venkateswaran, director of client product security and virtualization architecture and definition for Intel's Client Computing Group.

A new vPro technology to prevent security threats, TDT (threat detection technology), uses libraries baked into the chips to identify abnormal activity and security threats on a PC. The library assesses telemetry coming from CPUs that may be related to abnormal processing activity as a result of a security breach.

For example, the libraries can tell if a cryptocurrency mining application is calling on an abnormally high number of crypto instructions. That information is sent to security applications, which use that data in their engine to triage and stop threats.

The libraries have models tuned to weed out ransomware and other types of attack.

"We have low-level telemetry and an AI engine of sorts that can weed out the noise ... you don't want to have false positives," Venkateswaran says.

Intel is partnering with several antivirus vendors, including Microsoft, CrowdStrike, Eset, and Check Point Technologies, to integrate TDT features into security software. This way, the vendors get access to hardware telemetry to detect threats in virtual machines. For example, Eset Endpoint Security will be able to detect ransomware through Intel's performance monitoring unit (PMU), which sits underneath applications in the operating system.

**Patching Components**

Intel is working with PC makers to bring a standard methodology to patch PCs, and it is not putting all the eggs in one basket when it comes to securing systems. The focus is on establishing islands of security for different hardware components.

"There's no reason the BIOS needs to be able to have access to the OS memory. There is no value-add in it," Nordquist says. "So we actually deprivileged that at a base level ... and we did an enhanced level where we could really lock it down good. On vPro, that is a little bit better."

Attack vectors for PCs are different from servers and require a different security profile, he says.

"Before, PCs were designed to make sure the OS was protected. What if I want to protect something from the OS? What if I do not trust the hypervisor? I need the next level of security to deal with that," Nordquist says.

**Squashing Chip Bugs**

As a sign that Intel is serious about making hardware security a priority, the company last year awarded $935,751 in bug bounties to security researchers disclosing security flaws in its chips and firmware. The company has paid a total of $4 million since the inception of the program in 2017, according to its most recent annual security research report.

"These firmware updates are usually released on Intel's website, and the device vendor is responsible for distributing them. Some of them can be delivered automatically by Microsoft Windows Update, but only limited vendors can update their devices through it," says Alex Matrosov, founder of Binarly, whose firmware security platform helps people discover and patch hardware vulnerabilities. "CISOs should start paying more attention to threats and device ... security below the operating system. Every mature enterprise organization should invest in firmware security and specifically vulnerability management for their device security pasture."

Intel Prioritizes Security in Latest vPro Chips

io.finnet tss-lib before 2.0.0 can leak the lambda value of a private key via a timing side-channel attack because it relies on Go big.Int, which is not constant time for Cmp, modular exponentiation, or modular inverse. An example leak is in crypto/paillier/paillier.go. (bnb-chain/tss-lib and thorchain/tss are also affected.)

**Multi-Party Threshold Signature Scheme**

  

Permissively MIT Licensed.

Note! This is a library for developers. You may find a TSS tool that you can use with the Binance Chain CLI here.

**Introduction**

This is an implementation of multi-party {t,n}-threshold ECDSA (Elliptic Curve Digital Signature Algorithm) based on Gennaro and Goldfeder CCS 2018 1 and EdDSA (Edwards-curve Digital Signature Algorithm) following a similar approach.

This library includes three protocols:

*   Key Generation for creating secret shares with no trusted dealer ("keygen").
*   Signing for using the secret shares to generate a signature ("signing").
*   Dynamic Groups to change the group of participants while keeping the secret ("resharing").

⚠️ Do not miss these important notes on implementing this library securely

**Rationale**

ECDSA is used extensively for crypto-currencies such as Bitcoin, Ethereum (secp256k1 curve), NEO (NIST P-256 curve) and many more.

EdDSA is used extensively for crypto-currencies such as Cardano, Aeternity, Stellar Lumens and many more.

For such currencies this technique may be used to create crypto wallets where multiple parties must collaborate to sign transactions. See MultiSig Use Cases

One secret share per key/address is stored locally by each participant and these are kept safe by the protocol – they are never revealed to others at any time. Moreover, there is no trusted dealer of the shares.

In contrast to MultiSig solutions, transactions produced by TSS preserve the privacy of the signers by not revealing which t+1 participants were involved in their signing.

There is also a performance bonus in that blockchain nodes may check the validity of a signature without any extra MultiSig logic or processing.

**Usage**

You should start by creating an instance of a LocalParty and giving it the arguments that it needs.

The LocalParty that you use should be from the keygen, signing or resharing package depending on what you want to do.

**Setup**

// When using the keygen party it is recommended that you pre-compute the "safe primes" and Paillier secret beforehand because this can take some time.
// This code will generate those parameters using a concurrency limit equal to the number of available CPU cores.
preParams, \_ := keygen.GeneratePreParams(1 \* time.Minute)

// Create a \`\*PartyID\` for each participating peer on the network (you should call \`tss.NewPartyID\` for each one)
parties := tss.SortPartyIDs(getParticipantPartyIDs())

// Set up the parameters
// Note: The \`id\` and \`moniker\` fields are for convenience to allow you to easily track participants.
// The \`id\` should be a unique string representing this party in the network and \`moniker\` can be anything (even left blank).
// The \`uniqueKey\` is a unique identifying key for this peer (such as its p2p public key) as a big.Int.
thisParty := tss.NewPartyID(id, moniker, uniqueKey)
ctx := tss.NewPeerContext(parties)

// Select an elliptic curve
// use ECDSA
curve := tss.S256()
// or use EdDSA
// curve := tss.Edwards()

params := tss.NewParameters(curve, ctx, thisParty, len(parties), threshold)

// You should keep a local mapping of \`id\` strings to \`\*PartyID\` instances so that an incoming message can have its origin party's \`\*PartyID\` recovered for passing to \`UpdateFromBytes\` (see below)
partyIDMap := make(map\[string\]\*PartyID)
for \_, id := range parties {
    partyIDMap\[id.Id\] \= id
}

**Keygen**

Use the keygen.LocalParty for the keygen protocol. The save data you receive through the endCh upon completion of the protocol should be persisted to secure storage.

party := keygen.NewLocalParty(params, outCh, endCh, preParams) // Omit the last arg to compute the pre-params in round 1
go func() {
    err := party.Start()
    // handle err ...
}()

**Signing**

Use the signing.LocalParty for signing and provide it with a message to sign. It requires the key data obtained from the keygen protocol. The signature will be sent through the endCh once completed.

Please note that t+1 signers are required to sign a message and for optimal usage no more than this should be involved. Each signer should have the same view of who the t+1 signers are.

party := signing.NewLocalParty(message, params, ourKeyData, outCh, endCh)
go func() {
    err := party.Start()
    // handle err ...
}()

**Re-Sharing**

Use the resharing.LocalParty to re-distribute the secret shares. The save data received through the endCh should overwrite the existing key data in storage, or write new data if the party is receiving a new share.

Please note that ReSharingParameters is used to give this Party more context about the re-sharing that should be carried out.

party := resharing.NewLocalParty(params, ourKeyData, outCh, endCh)
go func() {
    err := party.Start()
    // handle err ...
}()

⚠️ During re-sharing the key data may be modified during the rounds. Do not ever overwrite any data saved on disk until the final struct has been received through the end channel.

**Messaging**

In these examples the outCh will collect outgoing messages from the party and the endCh will receive save data or a signature when the protocol is complete.

During the protocol you should provide the party with updates received from other participating parties on the network.

A Party has two thread-safe methods on it for receiving updates.

// The main entry point when updating a party's state from the wire
UpdateFromBytes(wireBytes \[\]byte, from \*tss.PartyID, isBroadcast bool) (ok bool, err \*tss.Error)
// You may use this entry point to update a party's state when running locally or in tests
Update(msg tss.ParsedMessage) (ok bool, err \*tss.Error)

And a tss.Message has the following two methods for converting messages to data for the wire:

// Returns the encoded message bytes to send over the wire along with routing information
WireBytes() (\[\]byte, \*tss.MessageRouting, error)
// Returns the protobuf wrapper message struct, used only in some exceptional scenarios (i.e. mobile apps)
WireMsg() \*tss.MessageWrapper

In a typical use case, it is expected that a transport implementation will consume message bytes via the out channel of the local Party, send them to the destination(s) specified in the result of msg.GetTo(), and pass them to UpdateFromBytes on the receiving end.

This way there is no need to deal with Marshal/Unmarshalling Protocol Buffers to implement a transport.

**How to use this securely**

⚠️ This section is important. Be sure to read it!

The transport for messaging is left to the application layer and is not provided by this library. Each one of the following paragraphs should be read and followed carefully as it is crucial that you implement a secure transport to ensure safety of the protocol.

When you build a transport, it should offer a broadcast channel as well as point-to-point channels connecting every pair of parties. Your transport should also employ suitable end-to-end encryption (TLS with an AEAD cipher is recommended) between parties to ensure that a party can only read the messages sent to it.

Within your transport, each message should be wrapped with a **session ID** that is unique to a single run of the keygen, signing or re-sharing rounds. This session ID should be agreed upon out-of-band and known only by the participating parties before the rounds begin. Upon receiving any message, your program should make sure that the received session ID matches the one that was agreed upon at the start.

Additionally, there should be a mechanism in your transport to allow for "reliable broadcasts", meaning parties can broadcast a message to other parties such that it's guaranteed that each one receives the same message. There are several examples of algorithms online that do this by sharing and comparing hashes of received messages.

Timeouts and errors should be handled by your application. The method WaitingFor may be called on a Party to get the set of other parties that it is still waiting for messages from. You may also get the set of culprit parties that caused an error from a *tss.Error.

**Security Audit**

A full review of this library was carried out by Kudelski Security and their final report was made available in October, 2019. A copy of this report audit-binance-tss-lib-final-20191018.pdf may be found in the v1.0.0 release notes of this repository.

**References**

\[1\] https://eprint.iacr.org/2019/114.pdf

CVE-2023-26557: GitHub - bnb-chain/tss-lib at v1.3.5

RosarioSIS prior to version 10.9.3 has a vulnerability that allows a user to return to a page containing personally identifiable information (PII) and sensitive information even after logging out of the application by using the browser's back button.

**RosarioSIS improper access control vulnerability**

Moderate severity GitHub Reviewed Published Apr 21, 2023 to the GitHub Advisory Database • Updated Apr 24, 2023

GHSA-g66v-3v62-g375: RosarioSIS improper access control vulnerability

Categories: Apple
Categories: Exploits and vulnerabilities
Categories: News
Tags: Apple

Tags:  Lockdown Mode

Tags:  NSO

Tags:  PWNYOURHOME

Tags:  FINDMYPWN

Tags:  LATENTIMAGE

Apple's Lockdown Mode has shown that it can do what it was designed to do by notifying users about an NSO exploit.



(Read more...)




The post iOS Lockdown Mode effective against NSO zero-click exploit appeared first on Malwarebytes Labs.

Apple’s Lockdown Mode feature alerted a victim to one of the latest NSO exploits, according to a report by Citizen Lab.

_image courtesy of Citizen Lab_

This is a huge deal since it shows how useful Lockdown Mode can be, even against exploits developed by one of the world’s most notorious commercial spyware producers.

Pegasus spyware, developed by NSO Group, has featured in many news stories, after being found to have been used against journalists, politicians, State Department employees, embassy workers, and activists.

We talked about Pegasus infections in our podcast Lock and Code, which can be listened to in full here:

As Pegasus has become publicly scrutinized, NSO Group has expanded its product line. Citizen Lab found several new zero-click chains that it was able to tie to the NSO group with high confidence.

The report describes three of them in detail:

*   **PWNYOURHOME**: An iOS 15 and iOS 16 zero-click exploit which involves the HomeKit functionality built into iPhones and works even if the victim has never configured a “Home” inside HomeKit.
*   **FINDMYPWN**: An iOS 15 zero-day, zero-click exploit which is associated with the iPhone’s built-in Find My functionality.
*   **LATENTIMAGE**: An iOS 15 zero-click exploit which is also believed to use the iPhone’s Find My feature.

The use of multiple attack surfaces can be handled in two very different ways. You can play a game of whack a mole and patch the vulnerabilities as they get uncovered, which is certainly necessary and common practice, but it has the disadvantage of being responsive rather than preventive. And the report also stipulates that NSO is getting better at hiding itself and its traces on infected devices, which makes it harder to find and analyze the exploits they used.

The other way of minimizing the risk of exploits is to build with security in mind. Think of design decisions like memory safe programming languages, and sandboxing applications so a vulnerability in one does not lead to a compromised device and stays limited to the app. But also features like Apple’s Lockdown Mode which puts an iPhone into a state where it is more difficult to attack.

Lockdown Mode is available for iOS 16, iPadOS 16 and macOS Ventura. It is designed to provide a safer environment for users that are at a higher risk.

You could say it was introduced with Pegasus in mind. And although Apple refers to Lockdown Mode as "an extreme, optional protection," the limitations don't actually sound particularly difficult to live with.

*   **Messages**: Most message attachment types other than images are blocked and some features, like link previews, are unavailable.
*   **Web browsing**: Certain complex web technologies, like just-in-time (JIT) JavaScript compilation, are disabled unless the user excludes a trusted site from Lockdown Mode.
*   **Apple services**: Incoming invitations and service requests, including **FaceTime** calls, are blocked if the user has not previously sent the initiator a call or request.
*   **Wired connections** with a computer or accessory are blocked when iPhone is locked.

Configuration profiles cannot be installed, and the device cannot enroll into mobile device management (MDM), while Lockdown Mode is turned on. A device that was enrolled in Mobile Device Management before Lockdown Mode is enabled remains managed. System administrators can install and remove configuration profiles on that device.

Even though it’s very good news that Lockdown Mode proved it was able to notify a target about an ongoing attack, there are some caveats. The Citizen Lab report also mentions that NSO may have figured out a way to correct the notification issue, since Citizen Lab has had no new reports about it. NSO could have done this, for example, by fingerprinting Lockdown Mode. And since Lockdown Mode is not available for iOS 15 it only provides protection against the PWNYOURHOME exploit. The others didn’t work on iOS 16 anyway.

**Enabling Lockdown mode**

So, how do you turn on Lockdown Mode? If you consider yourself a target for commercial spyware or are willing to live with some minor inconveniences for a higher level of security, here’s what you can do.

How to enable Lockdown Mode on iPhone or iPad:

*   Open the **Settings** app
*   Tap **Privacy & Security**
*   Under **Security**, tap **Lockdown Mode** and tap **Turn On Lockdown Mode**
*   Tap **Turn On Lockdown Mode**
*   Tap **Turn On & Restart**, then enter your device passcode.

And you’re all set. If you feel that the limitations are a bit too strict for your convenience, don’t turn it off immediately because there are ways to exclude apps or websites from Lockdown Mode. While your device is in Lockdown Mode, you can exclude an app or website in Safari from being impacted and limited. Exclude only trusted apps or websites and only if necessary.

To exclude a website while browsing: Tap the **Page Settings** button , then tap **Website Settings**. Then turn off Lockdown Mode.

To exclude an app or edit your excluded websites:

*   Open the **Settings** app
*   Tap **Privacy & Security**
*   Under **Security**, tap **Lockdown Mode**
*   Tap **Configure Web Browsing**
*   Exclude websites or apps from Lockdown Mode on iPhone

To exclude an app, turn that app off in the menu. Only apps that you have opened since enabling Lockdown Mode and which have limited functionality appear on this list.

To edit your excluded websites, tap Excluded Safari Websites > Edit.

**We don’t just report on iOS security—we provide it**

Cybersecurity risks should never spread beyond a headline. Keep threats off your iOS devices by downloading Malwarebytes for iOS today.

iOS Lockdown Mode effective against NSO zero-click exploit

Improper Access Control in GitHub repository francoisjacquet/rosariosis prior to 10.9.3.

@@ -497,27 +497,31 @@ var ajaxPopState = function() {

\* @link https://stackoverflow.com/questions/17432899/javascript-bfcache-pageshow-event-event-persisted-always-set-to-false

\* @link https://huntr.dev/bounties/efe6ef47-d17c-4773-933a-4836c32db85c/

\*/

if (window.performance && (performance.navigation.type \== 2

|| (performance.getEntriesByType

&& performance.getEntriesByType("navigation")\[0\]

&& performance.getEntriesByType("navigation")\[0\].type \=== 'back\_forward'))) {

location.reload();

}

function browserHistoryCacheBuster(event) {

if (location.href.indexOf('Modules.php?') \=== \-1) {

// Current page is not Modules.php, no login required, skip.

return;

}

  

window.onpageshow\=function(event) {

/\*\*

\* Same as above for Safari (does not execute Javascript on history back)

\* persisted indicates if the document is loading from a cache (not reliable)

\*

\* @link https://web.dev/bfcache/

\*/

if (event.persisted

// persisted indicates if the document is loading from a cache (not reliable)

if ((event && event.persisted)

|| window.performance && (performance.navigation.type \== 2

|| (performance.getEntriesByType

&& performance.getEntriesByType("navigation")\[0\]

&& performance.getEntriesByType("navigation")\[0\].type \=== 'back\_forward'))) {

location.reload();

}

}

  

browserHistoryCacheBuster();

  

/\*\*

\* onpageshow: Same as above for Safari (does not execute Javascript on history back)

\*

\* @link https://web.dev/bfcache/

\*/

window.onpageshow\=function(event) {

browserHistoryCacheBuster(event);

};

  

// onunload: Fix for Firefox to execute Javascript on history back.

CVE-2023-2202: Security Fix browser loading cached page when page full reload (F5) +… · francoisjacquet/rosariosis@6433946

**DENVER****,** **April 20, 2023** **/PRNewswire/ --** Red Canary, a leader in managed detection and response, launched Red Canary Readiness, a new portfolio of offerings that gives teams a whole new way to train and prepare for incidents. Now any company can improve their incident response preparedness by empowering their security teams to practice and validate the skills, processes, and playbooks required to quickly respond to cyber and business continuity threats.

The initial Readiness product is Readiness Exercises, a first-of-its-kind continuous learning platform that combines training, tabletops, and atomic tests in one experience. With Readiness Exercises available today, cybersecurity professionals get on-demand content and expert training at their fingertips, making it easy for companies to skill up employees, no matter where they are.

**Enterprises must maintain a skilled and ready workforce to face today's top cybersecurity threats**

Adversaries are becoming faster and more efficient at distributing and scaling cyberattacks. Rather than infrequent and one-size-fits-all training, continuous learning is critical to keep pace with the evolving threat landscape.

Readiness scenarios are ripped from the headlines and informed by Red Canary's leading threat intelligence and adversary research from its Managed Detection and Response (MDR) solution, which conducts millions of investigations per year. This expertise is mapped to industry-standard frameworks, such as NIST and MITRE ATT&CK®, to ensure teams are practicing the most critical scenarios. Training can be self-guided or facilitated, ranging from 20 minutes to 2 hours, and prepares teams to face incidents involving business email compromise, ransomware, and other threats including Qbot and Raspberry Robin.

"We have previously invested in cybersecurity training but have had mixed results. The exercises don't always relate to the threats that matter most to us, and the lessons are infrequent and don't always stick," said Michael Strong, Chief Security Officer, GCI. "This is why we are so excited about Readiness Exercises. Now our team can continuously train and benchmark our progress, learning from the Red Canary team who respond to real-world threats daily. It gives me confidence knowing that we're better prepared for the next threat that comes our way."

"Just having an incident response plan and a set of playbooks is no longer enough. That plan and those playbooks must be put to the test regularly and refined to keep up with evolving threats," wrote Jess Burn, Sr. Analyst, Forrester in an April 2022 blog post.

Readiness Exercises foster continuous learning, which drives both employee and business success through:

*   **Continuously improving your readiness:** Benchmark current skill levels against industry standards through frequent feedback and scoring. Onboard new team members and establish a culture of consistent skill improvement.
*   **Training for real-world threats:** Continuously practice and validate team preparedness against realistic scenarios based on trending adversary groups, tools, and MITRE ATT&CK® techniques.
*   **Get training, tabletops, and atomic tests in one experience:** Bring together disparate learning tools and run them in your environment to maximize their relevance and impact.

"We're excited to announce the launch of Readiness Exercises, a comprehensive solution that combines tabletop exercises, cybersecurity training, and atomic testing into a seamless, continuous learning experience," said Brian Beyer, CEO of Red Canary. "With this innovative product, we're reinventing the way organizations approach cybersecurity training and prepare for real-world threats."

**Learn more**

*   Learn more about Readiness
*   Watch the Readiness Exercises video
*   Register for the Readiness webinar

**Availability** 

Red Canary Readiness launched today, with Red Canary Readiness Exercises generally available now.

**About Red Canary**

Red Canary is a leader in managed detection and response (MDR). We serve companies of every size and industry, focusing on finding and stopping threats before they can have a negative impact. As the security ally for nearly 1,000 organizations, we provide MDR across our customers' cloud workloads, identities, SaaS applications, networks, and endpoints. For more information about Red Canary, visit: https://www.redcanary.com.

SOURCE Red Canary

Tag

#ios