Apple Security Advisory 2023-09-21-3 - iOS 16.7 and iPadOS 16.7 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-21-3 iOS 16.7 and iPadOS 16.7iOS 16.7 and iPadOS 16.7 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213927.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.Additional CVE entries coming soon.KernelAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupSecurityAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupWebKitAvailable for: iPhone 8 and later, iPad Pro (all models), iPad Air 3rdgeneration and later, iPad 5th generation and later, and iPad mini 5thgeneration and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupAdditional recognitionKernelWe would like to acknowledge Bill Marczak of The Citizen Lab at TheUniversity of Toronto's Munk School and Maddie Stone of Google's ThreatAnalysis Group for their assistance.This update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 16.7 and iPadOS 16.7".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+MACgkQX+5d1TXaIvqDVA//ViOiBbSSAlFO6+SkMIWoXJvV+5lQktWubXwtiDkC2gXrxFazBMrGOmzz1ELGkLVPGbgPR0nt5C2VrmFWEQ6U4HGf8K1RTIniqqSVHuVZeoQ8JGobIEItgj0/NYws3BtdZKaYJtW9imdMBgjk9pFsqYvw14yNxxScaUz1zmOjdbslQSkYIMqYp5Er2ION56ZLVvTfNs70RsZ3k/8S+2FFR1UQR0kfXrGZg7vmeaEw0XPW7NZGjLDiDTxW/Ro2lfl/7jLMH7gy5IeHTJw0TsZZlkCgQ0EllJ3UPuptpr9EiNgs26bJLGjv8Hjl1Mp1/uzkPhdNLcN8UghgCrQNHuMb9P69DcHahOAuACCPWO09eoQay2+ZmMR+Ec7HKUmVEnjCJ7I4crIY93c8zXdkrFp06kwcLOUo7JzVy7WWAn302wGKnNW1G/q7FXNSbGnWs/mQMWXfB3eeLT7atU39RmCQgLNopfQuJfgImTYiSYhVB1xBt0sKnP9OfT2RKlWO4+7Igs9UzcNkbNnDjkJGGtZuQNG1njUHDRaePpC8YnesQ5Xo3mUAdEKKDjfsvgvy/xZXLggpwj1Vo5RrRsceiWEjjffCsRJaBEx/R03dv4JUkm3VT/dRFWEntroGZ+lvhgKjvKUszZ9/ztER3Yfw9FvptRwznshof/KYt+IKAVwnQOQ==oY3a-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-3

Apple Security Advisory 2023-09-21-2 - iOS 17.0.1 and iPadOS 17.0.1 addresses bypass vulnerabilities.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA256APPLE-SA-2023-09-21-2 iOS 17.0.1 and iPadOS 17.0.1iOS 17.0.1 and iPadOS 17.0.1 addresses the following issues.Information about the security content is also available athttps://support.apple.com/kb/HT213926.Apple maintains a Security Updates page athttps://support.apple.com/HT201222 which lists recentsoftware updates with security advisories.KernelAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,iPad mini 5th generation and laterImpact: A local attacker may be able to elevate their privileges. Appleis aware of a report that this issue may have been actively exploitedagainst versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.CVE-2023-41992: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupSecurityAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,iPad mini 5th generation and laterImpact: A malicious app may be able to bypass signaturevalidation. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: A certificate validation issue was addressed.CVE-2023-41991: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupWebKitAvailable for: iPhone XS and later, iPad Pro 12.9-inch 2nd generationand later, iPad Pro 10.5-inch, iPad Pro 11-inch 1st generation andlater, iPad Air 3rd generation and later, iPad 6th generation and later,iPad mini 5th generation and laterImpact: Processing web content may lead to arbitrary codeexecution. Apple is aware of a report that this issue may have beenactively exploited against versions of iOS before iOS 16.7.Description: The issue was addressed with improved checks.WebKit Bugzilla: 261544CVE-2023-41993: Bill Marczak of The Citizen Lab at The University ofToronto's Munk School and Maddie Stone of Google's Threat Analysis GroupThis update is available through iTunes and Software Update on youriOS device, and will not appear in your computer's Software Updateapplication, or in the Apple Downloads site. Make sure you have anInternet connection and have installed the latest version of iTunesfrom https://www.apple.com/itunes/  iTunes and Software Update on thedevice will automatically check Apple's update server on its weeklyschedule. When an update is detected, it is downloaded and the optionto be installed is presented to the user when the iOS device isdocked. We recommend applying the update immediately if possible.Selecting Don't Install will present the option the next time youconnect your iOS device.  The automatic update process may take up toa week depending on the day that iTunes or the device checks forupdates. You may manually obtain the update via the Check for Updatesbutton within iTunes, or the Software Update on your device.  Tocheck that the iPhone, iPod touch, or iPad has been updated:  *Navigate to Settings * Select General * Select About. The versionafter applying this update will be "iOS 17.0.1 and iPadOS 17.0.1".All information is also posted on the Apple Security Updatesweb site: https://support.apple.com/en-us/HT201222.This message is signed with Apple's Product Security PGP key,and details are available at:https://www.apple.com/support/security/pgp/-----BEGIN PGP SIGNATURE-----iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+MACgkQX+5d1TXaIvrv2BAA2OVuQh+A+ueReKyIWMrCbMSa8Vr/0I30lmR6EwagXspttZU6o5B1YpxDQGljaQT4wKizwxW0Uvkjr/b74oLcfsTp0VVNF8RqrFLPEw7CszXANhxoCHa47J3BX4WYvVKMmjc65AAcBby54UXLBVRKs1pdcWXE+/X+/Oo+LzynUeuFzNlMJ6bMBtrax2ip/gLwNiR47gkpwP3JSnChnAwulbDnUVNpdt9+eRnU5qAoFKsCGVlbCj34lqVyPpHBc4NXAjar+F/iQkTVGwWpeolMFaxUNMWspy4dhdni3ol5lxjRZvBTQqqCiEy1iX1KrU+ZXiIu8GRAMJcYYczM0AqrGc3P59jmMKR9x1tmoWcqVJr4o05c89K4QPy/xxCO6D1kNkk4Flo4ko/9UElFlAkdcoh+Uw63lvc7QtsjIgbkkktD6Oy+PQmaPtXLijmJ6pAbX9IpFCyNDdGX+Iwpqa7gp9oxVD3O4UVIqJkMTcUlDqP7oOHyOVbLLDIhbL+11gQFRjO1j6CO5wqohd234XKArks/ifw2BUV5itOxt/jHfRP7XJpgBXx+R91RxWSn8r1Bf/GMD7S+jIpfJ6kON/UykDTqYHHJYhpMaKlLwuZQY5iWyp0SySTY+UHhl4Q/hGIEFQHItjz3Vk+1Kn6iwh4XDWHPMOLFTXkNoxl7dy5cQ+k==g23D-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-2

Apple Security Advisory 2023-09-21-1 - Safari 16.6.1 addresses a code execution vulnerability.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-2023-09-21-1 Safari 16.6.1

Safari 16.6.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/kb/HT213930.

Apple maintains a Security Updates page at  
https://support.apple.com/HT201222 which lists recent  
software updates with security advisories.

WebKit  
Available for: macOS Big Sur and Monterey  
Impact: Processing web content may lead to arbitrary code  
execution. Apple is aware of a report that this issue may have been  
actively exploited against versions of iOS before iOS 16.7.  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 261544  
CVE-2023-41993: Bill Marczak of The Citizen Lab at The University of  
Toronto's Munk School and Maddie Stone of Google's Threat Analysis Group

Safari 16.6.1 may be obtained from the Mac App Store.  
All information is also posted on the Apple Security Updates  
web site: https://support.apple.com/en-us/HT201222.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmUMi+IACgkQX+5d1TXa  
IvrZ2BAAuNoAbXP8tdVUSSH8ZI5HlF80jdbUjVTMvRXl0sjkzBPGaS9g0hKJWZhD  
4b4yKY5/4flWuL4SXWaSzk8ZDe0EmgUoKG1Nr1rROR+KzXY78mm5V8z3xheCH4+d  
4e8wJ57xLQn++Gw1heVC21JBgFIq00OAbnBptPKfMQZGQaa6g/aRV8o/gezWcG3Y  
3zqbrW2wSvfTVWE2yMKJBTnHLbHZNWWHXojWJqgmKRli3pyfrff2N6vk7w0nsBxg  
FNgreWXK4KO3MkGONXYRdmwbqWpiLokJ2oAiHI4sepF4eb9mgrJ/dOLHVoWZ9HVm  
BWG7TKKV780d15dNegx4zgTU8p9X9x7rFvY3EoKjpg0Hvd/yf/4POeKCAz9TB2ve  
sVmGlHHqrYZm+ZkxmGHZwbZWzUTLSs6+T0T906LR5+qFUeffpjQTKFi7kOVuKIxt  
6GbWt+Tmfvkka/Wt/NM1xQXB0CCm1TtudqHgCECXGN3ZT5kxVlJpyltltG2o+Mp4  
IN31lMQ+77zwT59JOkup045RLWhaoMFfqpIJ61LYT0g16OXZmJH/Lheawy4LUr/N  
85A+42DoTsVwjOU8BoRhWqSX/nZeBcadV7hhK2rGw9pI2LI6S24BoIH6DUc5VTfX  
kQzhBo+SN5ZgV2c3mPO4DuRzAn9ijZO7HnJou/0nM7cZTJEmAVA=  
=dCMM  
-----END PGP SIGNATURE-----

Apple Security Advisory 2023-09-21-1

Corporations are using software to monitor employees on a large scale. Some experts fear the data these tools collect could be used to automate people out of their jobs.

You’ve probably heard the story: A young buck comes into a new job full of confidence, and the weathered older worker has to show them the ropes—only to find out they’ll be unemployed once the new employee is up to speed. This has been happening among humans for a long time—but it may soon start happening between humans and artificial intelligence.

Countless headlines over the years have warned that automation isn’t just coming for blue-collar jobs, but that AI would threaten scores of white-collar jobs as well. AI tools are becoming capable of automating tasks and sometimes entire jobs in the corporate world, especially when those jobs are repetitive and rely on processing data. This could affect everyone from workers at banks and insurance companies to paralegals and beyond.

Carl Frey, an economist at Oxford University, coauthored a landmark study in 2013 that claimed AI could threaten nearly 50 percent of US jobs in the coming decades. Frey says that he doesn’t think new AI tools like ChatGPT are going to automate jobs in this way because they still require human involvement and are often unreliable. Still, many of the underlying factors that were outlined in that paper remain pertinent today. Considering the rapid pace at which AI is advancing, it’s hard to predict how it could soon be utilized and what it will be capable of.

Then there’s the issue of how it’s being incorporated into daily work and how it’s being trained. Enter corporate spyware, invasive monitoring apps that allow bosses to keep close tabs on everything their employees are doing—collecting reams of data that could come into play here in interesting ways. Corporations, which are monitoring their employees on a large scale, are now having workers utilize AI tools more frequently, and many questions remain regarding how the many AI tools that are currently being developed are being trained.

Put all of this together and there’s the potential that companies could use data they’ve harvested from workers—by monitoring them and having them interact with AI that can learn from them—to develop new AI programs that could actually replace them. If your boss can figure out exactly how you do your job, and an AI program is learning from the data you’re producing, then eventually your boss might be able to just have the program do the job instead.

“When it comes to monitoring workflows, I do think that’s going to be a way we automate a lot of this stuff,” Frey says. “What you might be able to do is take some of those foundational models and train them on some of the data you have internally and fine-tune them, or you could train a model from scratch just with your internal data.”

David Autor, a professor of economics at MIT, says he also thinks AI could be trained in this way. While there is a lot of employee surveillance happening in the corporate world, and some of the data that’s collected from it could be used to help train AI programs, simply learning from how people are interacting with AI tools throughout the workday could help train those programs to replace workers.

“They will learn from the workflow in which they’re engaged,” Autor says. “Often people will be in the process of working with a tool, and the tool will be learning from that interaction.”

Whether you’re training an AI tool directly by interacting with it throughout the day, or the data you’re producing while you work is simply being used to create an AI program that can do the work you’re doing, there are multiple ways in which a worker could inadvertently end up training an AI program to replace them. Even if the program doesn’t end up being incredibly effective, a lot of companies might be happy with an AI program that’s good enough because it doesn’t require a salary and benefits.

“I think there are a lot of discretionary white-collar jobs where you’re kind of using a mixture of hard information and soft information and trying to make advanced decisions,” Autor says. “People aren’t that good at that, machines aren’t that good at that, but probably machines can be pretty much as good as people.”

Autor says he doesn’t see a “labor market apocalypse” coming. Many workers won’t be entirely replaced but will simply have their jobs changed by AI, Autor says, while some workers will certainly be made redundant by advancements in AI. The problem there, he says, is what happens to those workers after they’re no longer able to find a well-paying job with the education and skill sets they have.

“It’s not that we’re going to run out of work. It’s much more that people are doing something they’re good at, and that thing goes away. And then they end up doing a kind of generic activity that everybody’s good at, which means it pays very little—food service, cleaning, security, vehicle driving,” Autor says. “These are low-paying activities.”

Once someone’s automated out of a well-paying job, they can end up slipping through the cracks. Autor says we’ve seen this happen in the past.

“The hollowing out of manufacturing and office work over the past 40 years has definitely put downward pressure on the wages of people who would do that type of work, and it’s not because they’re doing it now at a lower rate of pay. It’s because they’re not doing it,” Autor says.

Frey says politicians will need to offer solutions to those who fall through the cracks to prevent the destabilization of the economy and society. That would likely include offering social safety net programs to those affected. Frey has written extensively on the effects of the first Industrial Revolution, and he says there are lessons to be learned there. In Britain, for example, there was a program called the Poor Laws, where people who were harmed by automation were given financial relief.

“What you see back then is a lot of social unrest. Wages are stagnant or falling for a large part of the population. You have riots,” Frey says. “If you look at the places where the Poor Laws were more generous, there was less social unrest and less upheaval. Using welfare systems to compensate people who lose out is something we’ve done for a long time and should continue to do.”

Many people would also benefit from being retrained for other work, but Autor says the US has never been very good at retraining people, so there’d have to be some work done to create effective retraining programs. He says technology might actually be able to help there because people could be retrained using helpful new digital tools.

There was a lot of hype surrounding ChatGPT and similar AI tools when they came out. That hype has since died down a bit, suggesting to some that maybe these tools won’t be as useful as they were promised to be. Perhaps they won’t be taking everybody’s jobs. However, at the rate at which AI is advancing, there’s no saying where things could be in five to 10 years—or even next year.

Vincent Conitzer, a professor of computer science at Carnegie Mellon University, says people shouldn’t underestimate what these AI tools may soon be capable of. They may be somewhat limited in their use now, but that could change relatively rapidly and end up being as disruptive as some have warned it could be.

“I worry about this being a ‘boiling frog’ kind of scenario, where we see amazing advances in AI but then don’t immediately see them take over people’s jobs, and \[people\] conclude there wasn’t all that much to worry about, and we accept the new technology as the new normal but not all that impressive after all,” Conitzer says. “Meanwhile, gradually but quickly, the world and the job market do adjust to the new technologies in complex ways, and at some point we realize large societal problems have emerged.”

Your Boss’s Spyware Could Train AI to Replace You

With the number of internet blackouts on the rise, cybersecurity firm eQualitie figured out how to hide censored online news in satellite TV signals.

All over the world, walls are going up around the internet.

For years, autocratic regimes have been in a race to heighten those walls, as their citizens develop taller and taller ladders. The more they filter and block, the more their citizens come up with clever technical solutions to access the uncensored truth. There is mounting evidence, however, that repressive regimes are opting to just shut down access to the open internet entirely—and that such blackouts could become permanent.

A team of cybersecurity researchers believe they have come up with a clever new way to fight back: a trojan horse. Specifically, a satellite feed designed to look like a television station, which actually carries a payload of uncensored news and information. It’s a particularly retro solution to a very modern problem.

The program, dubbed eQsat, has been tested and is ready to be put into action during the next internet shutdown—whether it’s in Russian-occupied Ukraine, Iran, or one of the many repressive regimes that regularly block internet access.

The cybersecurity firm behind the program, eQualitie, has spent years developing tools designed for civil society in countries with aggressive internet filtering. Its mobile browser, Ceno, connects users to the open internet and serves content peer-to-peer. When a particular website is blocked or throttled, Ceno grabs a copy of the website supplied by another user who can access the site normally.

Ceno’s weakness—like all peer-to-peer services—is that it still requires some connection to the outside world to deliver blocked content. During a total shutdown, Ceno’s peer-to-peer connections are severed as well.

There are some unreliable solutions to this problem. In some cases, mobile internet or Wi-Fi can be broadcast into an area experiencing an internet shutdown—there have been plans to try to broadcast a cellular or Wi-Fi signal from Finland into Russia, for example. In North Korea, balloons with USB keys attached bring news and entertainment into one of the most heavily censored countries in the world.

But cell signals can be jammed, Starlink terminals can be triangulated, and balloons can be intercepted. The best way to deliver information into a closed country without being caught or thwarted, Jason Roks tells WIRED, is steganography: the act of camouflaging information inside another message. And eQsat is the answer to the question “How do you blend in the most?”

Roks and the team at eQualitie rented space on commercial satellites and began broadcasting their own television channel to countless home satellite receivers throughout Asia and Africa. But should anyone be flipping through the channels, the eQualitie station will be static or color bars. Anyone who records the channel to a USB key, however, would discover that one of the audio tracks is, in fact, a compressed file. Extracted on a computer, it reveals a wealth of information.

“So this is a mechanism we developed to replenish from the outside,” Roks says. “We partnered with dozens of news organizations to, basically, take a snapshot of their websites and—very much like Internet Archive, the Wayback Machine—we keep a version of their site. And we update them daily, quarterly, whatever that basis is. And that works out to about, all those sites for Russia and Ukraine, about a gig and a half of data.” That data, once extracted, can be fed into the BitTorrent network, and can update the cache for their Ceno browser.

A Tricky New Way to Sneak Past Repressive Internet Censorship

Categories: Podcast
This week on the Lock and Code podcast, we speak with Mozilla's Privacy Not Included team about the invasive data collection practices of modern cars. 



(Read more...)




The post What does a car need to know about your sex life? Lock and Code S04E20 appeared first on Malwarebytes Labs.

_This week on the Lock and Code podcast..._

When you think of the modern tools that most invade your privacy, what do you picture?

There's the obvious answers, like social media platforms including Facebook and Instagram. There's email and "everything" platforms like Google that can track your locations, your contacts, and, of course, your search history. There's even the modern web itself, rife with third-party cookies that track your browsing activity across websites so your information can be bundled together into an ad-friendly profile. 

But here's a surprise answer with just as much validity: Cars. 

A team of researchers at Mozilla which has reviewed the privacy and data collection policies of various product categories for several years now, named "Privacy Not Included," recently turned their attention to modern-day vehicles, and what they found shocked them. Cars are, to put it shortly, a privacy nightmare. 

According to the team's research, Nissan says it can collect “sexual activity” information about consumers. Kia says it can collect information about a consumer's “sex life.” Subaru _passengers_ allegedly consent to the collection of their data by simply being in the vehicle_._ Volkswagen says it collects data like a person's age and gender and whether they're using your seatbelt, and it can use that information for targeted marketing purposes. 

But those are just some of the highlights from the Privacy Not Included team. Explains Zoë MacDonald, content creator for the research team: 

"We were pretty surprised by the data points that the car companies say they can collect... including social security number, information about your religion, your marital status, genetic information, disability status... immigration status, race. And of course, as you said.. one of the most surprising ones for a lot of people who read our research is the sexual activity data."

Today on the Lock and Code podcast with host David Ruiz, we speak with MacDonald and Jen Caltrider, Privacy Not Included team lead, about the data that cars can collect, how that data can be shared, how it can be used, and whether consumers have any choice in the matter.

We also explore the booming revenue stream that car manufacturers are tapping into by not only collecting people's data, but also packaging it together for targeted advertising. With so many data pipelines being threaded together, Caltrider says the auto manufacturers can even make "inferences" about you.  

"What really creeps me out \[is\] they go on to say that they can take all the information they collect about you from the cars, the apps, the connected services, and everything they can gather about you from these third party sources," Caltrider said, "and they can combine it into these things they call 'inferences' about you about things like your intelligence, your abilities, your predispositions, your characteristics." 

Caltrider continued:

> "And that's where it gets really creepy because I just imagine a car company knowing so much about me that they've determined how smart I am."

Tune in today for the full conversation. 

You can also find us on Apple Podcasts, Spotify, and Google Podcasts, plus whatever preferred podcast platform you use.

_Show notes and credits:_

Intro Music: “Spellbound” by Kevin MacLeod (incompetech.com)  
Licensed under Creative Commons: By Attribution 4.0 License  
http://creativecommons.org/licenses/by/4.0/  
Outro Music: “Good God” by Wowa (unminus.com)

What does a car need to know about your sex life? Lock and Code S04E20

An unnamed Southeast Asian government has been targeted by multiple China-nexus threat actors as part of espionage campaigns targeting the region over extended periods of time.
"While this activity occurred around the same time and in some instances even simultaneously on the same victims' machines, each cluster is characterized by distinct tools, modus operandi and infrastructure," Palo Alto

An unnamed Southeast Asian government has been targeted by multiple China-nexus threat actors as part of espionage campaigns targeting the region over extended periods of time.

"While this activity occurred around the same time and in some instances even simultaneously on the same victims' machines, each cluster is characterized by distinct tools, modus operandi and infrastructure," Palo Alto Networks Unit 42 researchers Lior Rochberger, Tom Fakterman, and Robert Falcone said in an exhaustive three-part report.

The attacks, which targeted different governmental entities such as critical infrastructure, public healthcare institutions, public financial administrators and ministries, have been attributed with moderate confidence to three disparate clusters tracked as Stately Taurus (aka Mustang Panda), Alloy Taurus (aka Granite Typhoon), and Gelsemium.

**Mustang Panda uses TONESHELL variant and ShadowPad**

"The attackers conducted a cyberespionage operation that focused on gathering intelligence as well as stealing sensitive documents and information, while maintaining a persistent and clandestine foothold," the researchers said, describing it as "highly-targeted and intelligence-driven."

The activity spanned from the second quarter of 2021 to the third quarter of 2023, leveraging an assortment of tools to conduct reconnaissance, steal credentials, maintain access, and conduct post-compromise actions.

Some of the notable software used to reach these goals comprise the LadonGo open-source scanning framework, AdFind, Mimikatz, Impacket, China Chopper web shells, Cobalt Strike, ShadowPad, and a new version of the TONESHELL backdoor.

The malware eschews the use of shellcode in favor of three DLL-based components to set up persistence on the endpoint, establish command-and-control communications with a remote server, and carry out information-gathering operations, including command execution, file system interaction, keylogging, and screen capture.

"During the operation, the threat actor slowly took control of the victims' environments, focusing on maintaining control for a long-term operation," the researchers noted. "The purpose of the threat actor's efforts appears to be the continuous gathering and exfiltration of sensitive documents and intelligence."

**Alloy Taurus Aims to Fly Under the Radar**

The intrusion set linked to Alloy Taurus is said to have commenced in early 2022 and continued throughout 2023, leveraging uncommon techniques and bypassing security products for long-term persistence and reconnaissance.

These attacks, occurring in six different waves, weaponize security flaws in Microsoft Exchange Servers to deploy web shells, which then serves as a conduit to deliver additional payloads, counting two previously unknown .NET backdoors Zapoa and ReShell to execute arbitrary commands remotely and harvest sensitive data.

Zapoa also incorporates features to extract system information, run shellcode, enumerate running processes, load more .NET assembly files to augment its capabilities, and timestamp files and artifacts with a supplied date, a technique called timestomping.

"The threat actor behind this cluster employed a mature approach, utilizing multiwave intrusions and exploiting vulnerabilities in Exchange Servers as their main penetration vector," the researchers said.

In some cases, Alloy Taurus has also been observed carrying out credential theft to facilitate lateral movement by abusing the remote administration tool AnyDesk already present in the infiltrated environment.

UPCOMING WEBINAR

AI vs. AI: Harnessing AI Defenses Against AI-Powered Risks

Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.

Supercharge Your Skills

Some of the other software installed by the threat actor include Cobalt Strike, Quasar RAT, HDoor (a backdoor previously used by Chinese groups like Naikon and Goblin Panda), a Gh0st RAT variant known as Gh0stCringe, and Winnti, a multi-functional implant capable of granting remote control to an infected machine.

**Gelsemium Singles Out Vulnerable IIS Servers**

"This unique cluster had activity spanning over six months between 2022-2023," the researchers noted.

"It featured a combination of rare tools and techniques that the threat actor leveraged to gain a clandestine foothold and collect intelligence from sensitive IIS servers belonging to a government entity in Southeast Asia."

The attack chains capitalize on vulnerable web servers to install web shells and distribute backdoors like OwlProxy and SessionManager, while simultaneously utilizing other tools such as Cobalt Strike, Meterpreter, Earthworm, and SpoolFool for post-exploitation, tunneling command-and-control traffic, and privilege escalation.

OwlProxy is an HTTP proxy with backdoor functionality that first came to light in April 2020. SessionManager, detailed by Kaspersky last July, is a custom backdoor designed to parse the Cookie field within inbound HTTP requests to extract the commands issued by the attacker.

"The threat actor received access through the use of several web shells, following the attempted installation of multiple types of proxy malware and an IIS backdoor," the researchers said. "As some of the threat actor's attempts to install malware were unsuccessful, they kept delivering new tools, showing their ability to adapt to the mitigation process."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

New Report Uncovers Three Distinct Clusters of China-Nexus Attacks on Southeast Asian Government

MultiBit HD before 0.1.2 allows attackers to conduct bit-flipping attacks that insert unspendable Bitcoin addresses into the list that MultiBit uses to send fees to the developers. (Attackers cannot realistically steal these fees for themselves.) This occurs because there is no message authentication code (MAC).

**Multibit is Deprecated - Do Not Use**

Wednesday, July 26, 2017

Dear Bitcoin Community,

It is time for us to let Multibit go.

KeepKey acquired Multibit a little over 1 year ago. At the time, the engineers who originally built and supported Multibit had announced that they would no longer be working on it or providing support. Multibit played an important role in the Bitcoin infrastructure. We felt that it was important for Multibit to continue and hoped that with our existing support and development teams, we would be able to keep Multibit alive.

The reality is that Multibit is in need of a lot of work. It has stubborn bugs that have caused us and Multibit users much grief. Additionally, Bitcoin has gone through a fundamental change in regards to the way fees work. The addition of SegWit in the coming weeks will mean the Multibit software has fallen still further behind.

Unfortunately, KeepKey simply does not have the resources to support the current issues, nor to rebuild Multibit to ensure ideal user experience. By focusing our attention on the KeepKey device, we will continue building and improving the best hardware wallet available.

Thus, KeepKey will discontinue support and maintenance of Multibit, effective immediately.

We recommend that all Multibit users discontinue using it and you move your keys to other wallet software of your choosing.

**Next Steps for Multibit Users**

Videos that demonstrate how to move your wallet to Electrum are available on YouTube.

*   Multibit HD: https://youtu.be/E-KcY6KUVnY
*   Multibit Classic: https://youtu.be/LaijbTcxsv8

Please note that the version of Electrum available for download today (version 2.8.3) doesn’t fully support the importing Multibit HD wallet words. The version shown in the Multibit HD video is the soon-to-be-released next version.

Multibit was a fantastic piece of software in its time, and we want to thank the Multibit developers for such an important contribution to Bitcoin’s history.

Sincerely,

Ken Heutmaker

CTO, KeepKey

**Introduction**

MultiBit is a Simplified Payment Verification (SPV) Bitcoin desktop client.

MultiBit is now in maintenance mode as it has largely been replaced by MultiBit HD. To avoid confusion we refer to MultiBit Classic and MultiBit HD to keep them separate.

MultiBit Classic relies on the following technologies:

*   Maven as the build system, so the usual Maven processes apply. If you're not familiar with Maven then download it first and follow their installation instructions.
*   ZXing ("Zebra Crossing") for QR codes
*   Bitcoinj for access to the Bitcoin network
*   Install4j for creating installers for Windows, Mac, Linux
*   Bitcoinj Enforcer Rules to prevent dependency chain attacks
*   XChange for access to several Bitcoin exchanges

**The Bitcoinj "Alice" dependency**

MultiBit Classic depends on a special fork of Bitcoinj for its Bitcoin support. This is due to legacy wallet serialization issues and the MultiBit team are working towards a complete integration through the MultiBit HD project.

While it is possible to build MultiBit Classic using our staging repository you may want to review the modified Bitcoinj library for yourself. You can clone from this fork:

    https://code.google.com/r/jimburton618-bitcoinj-coinbase-tx/source/checkout
    

The branch you should use for the MultiBit master code is: bcj-0.11.2-mb-alice The branch you should use for the MultiBit develop code is: bcj-0.11.2-mb-alice

Once cloned, you should then install the custom Bitcoinj library using

**Branching strategy**

This loosely follows the "master-develop" or "Git flow" pattern.

There are 2 main branches: master and develop. The master branch is exclusively for releases, while the develop is exclusively for release candidates. The develop branch always has a Maven version of develop-SNAPSHOT.

Occasionally a feature branch will be made off develop to cover a long-running issue. This will then be merged back into develop

When develop is ready for release it is subjected to extensive testing (manual and automated). The final act is to update the pom.xml to remove the SNAPSHOT suffix and merge it into master.

The master branch is then tagged with the release number. Tags are in the format v1.2.3 to distinguish them from branch names.

An announcement is made on the MultiBit website and social media (Twitter, Reddit, Bitcointalk etc) to alert everyone that a new version is available.

**Maven build targets**

The important targets are:

After some processing, you will have the following artifacts in the target directory:

*   an executable jar: multibit-exe.jar

**Bitcoin Solutions staff**

Use the Install4j installer in the multibit-installers project to create your Mac/ Win/ Linux installers.

To run MultiBit from these artifacts you can follow the instructions provided on the main MultiBit website

**Custom configuration**

MultiBit Classic is quite flexible and has several features only accessible to power users through the configuration file. This is discussed in more detail in configuration.md

**Contributing**

All contributors must be OK with releasing their work under the MIT license.

CVE-2015-6964: GitHub - Multibit-Legacy/multibit: Deprecated Bitcoin Wallet

Categories: News
Tags: Themebleed

Tags:  zero-days

Tags:  Apple

Tags:  T-Mobile

Tags:  MGM

Tags:  metaverse

A list of topics we covered in the week of September 18 to September 24 of 2023



(Read more...)




The post A week in security (September 18 - September 24) appeared first on Malwarebytes Labs.

Cybersecurity info you can't do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Cyberprotection for every one.

For Personal

Windows Antivirus

Mac Antivirus

Android Antivirus

Free Antivirus

VPN App (All Devices)

Malwarebytes for iOS

See all

Company

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

FOR BUSINESS

Small Businesses

Mid-size Businesses

Large Enterprise

Endpoint Protection

Endpoint Detection & Response

Managed Detection and Response (MDR)

FOR PARTNERS

Managed Service Provider (MSP) Program

Resellers

MY ACCOUNT

Sign In

SOLUTIONS

Rootkit Scanner

Trojan Scanner

Virus Scanner

Spyware Scanner  

Password Generator

Anti Ransomware Protection

ADDRESS

3979 Freedom Circle  
12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay  
2nd Floor  
Cork T12 X8N6  
Ireland

LEARN

Malware

Hacking

Phishing

Ransomware

Computer Virus

Antivirus  

What is VPN?

COMPANY

About Us

Contact Us

Careers

News and Press

Blog

Scholarship

Forums

MY ACCOUNT

Sign In

ADDRESS

3979 Freedom Circle, 12th Floor  
Santa Clara, CA 95054

ADDRESS

One Albert Quay, 2nd Floor  
Cork T12 X8N6  
Ireland

A week in security (September 18 - September 24)

By Waqas
KEY FINDINGS Cybersecurity researchers at Group-IB unearthed a covert cryptojacking campaign concealed within a popular online thesaurus boasting…
This is a post from HackRead.com Read the original post: Popular Thesaurus Website Used in Sneaky Cryptojacking Scheme

****KEY FINDINGS****

*   **Group-IB uncovers cryptojacking campaign on popular thesaurus site.**

*   **Attackers used a drive-by-download technique to spread malware.**

*   **The campaign distributed a Monero cryptocurrency miner.**

*   **Unsophisticated tactics highlight risks even on trusted websites.**

*   **Recommendations emphasize the importance of regular updates and robust security measures.**

Cybersecurity researchers at **Group-IB** unearthed a covert cryptojacking campaign concealed within a popular online thesaurus boasting over five million monthly visitors. This campaign employed a cunning tactic, embedding a script that surreptitiously installed malware on visitors’ computers to mine cryptocurrency, opening the door for more malicious activities.

Group-IB’s experts crack the story behind this cybercriminal operation through their use of Managed Extended Detection and Response (MXDR), a solution designed for round-the-clock threat monitoring, proactive threat hunting, and real-time attack mitigation.

During their monitoring, Group-IB’s security specialists detected numerous malicious archives flagged by the MXDR system. This triggered an alarm as they observed an unusually high number of malware samples emerging within the infrastructure of several client companies.

These archives, peculiarly named in the pattern of “chromium-patch-nightly.00.{3}.{3}.zip,” each with a unique identifier, indicated that the MXDR customers had received these malicious archives from a common source, suggesting an unconventional approach taken by the attackers.

Upon analyzing these malicious archives; Group-IB found that they contained an executable file functioning as a dropper, responsible for installing the **XMRig Coinminer**—a cryptocurrency mining tool specifically designed for Monero. Monero’s inherent anonymity, which conceals transaction details, allows threat actors to remain covert.

To trace the source of these infected archives, Group-IB turned to data from the Endpoint Detection and Response (EDR) module. After analyzing the events related to the discovery of the malicious objects on host machines, it was apparent that the archives had been downloaded to the “Downloads” folder, typically used by default during user internet sessions. The security experts examined browser history, revealing that these malicious samples were downloaded from an online thesaurus.

Group-IB’s analysts reconstructed the infection chain, revealing that when visitors accessed the thesaurus website, a decoy page triggered the automatic download of a malicious archive. Notably, the script responsible for this action was not injected into the section of the website dedicated to antonyms. The archive itself was downloaded from another website, chrome-errorco.

Further investigation revealed that the dropper, despite being downloaded to users’ machines, had not been executed, preventing any immediate threats.

Screenshot: Group-IB

According to Group-IB’s **report**, to safeguard their clients from potential security incidents, Group-IB promptly notified them about the threat. Additionally, the experts shared contextual insights about the incident and recommended preventive measures, including the deletion of the malicious archive.

In the event of confirmed malicious files, Group-IB MXDR’s Endpoint Detection and Response (EDR) agent is capable of automatically blocking and locally quarantining such files.

Despite the ability of Group-IB MXDR to block known malicious files, the system sends periodic requests to the main console, sharing hashes of files marked as malicious by the behavioral analysis subsystem. This feature ensures that if one customer detects a malicious file, the hash is subsequently added to other customers’ blocklists.

Group-IB’s Group-IB MXDR alerts its clients

The analyzed script responsible for the attack conducted the following actions:

Sent a signal to a specified page and downloaded a new script, executing it  
Displayed a **fake Chrome error page** instructing users to install a downloaded update  
Ultimately, this revelation underscores the critical need for vigilance even on trusted and highly frequented websites.

The cybercriminals behind this campaign employed well-known tactics, such as drive-by downloads and social engineering via deceptive error pages, emphasizing the importance of robust cybersecurity measures.

Group-IB’s analysis further revealed that the threat actors’ relatively unsophisticated approach should not be underestimated. Once the loader infiltrates a target company’s infrastructure, it can serve as a potent vector for future, more damaging attacks beyond cryptocurrency mining, such as ransomware or wipers, which can result in severe disruptions and significant damage.

For secure defences against such threats, Group-IB recommends:

*   Keeping operating systems and software up to date
*   Downloading software and updates from official sources or restricting user rights to update independently
*   Monitoring workstation resource utilization for signs of cryptomining activity
*   Employing Endpoint Detection and Response solutions to block malicious file downloads and halt attacks at their earliest stages
*   Utilizing modern Malware Detonation Platforms for safe and thorough analysis of suspicious files

****RELATED ARTICLES****

Infected WAV files install malware & cryptominers on PCs

Group-IB Founder Ilya Sachkov Jailed for 14 Years in Russia

VictoryGate cryptominer infected 35K devices via USB drives

Crypto Miner Hiding in Fake Microsoft, Google Translate Apps

WinRAR users update software as 0-day vulnerability is found

Tag

#mac