Kaspersky researchers are detailing “an attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky.” It’s a zero-click exploit that makes use of four iPhone zero-days.

The most intriguing new detail is the targeting of the heretofore-unknown hardware feature, which proved to be pivotal to the Operation Triangulation campaign. A zero-day in the feature allowed the attackers to bypass advanced hardware-based memory protections designed to safeguard device system integrity even after an attacker gained the ability to tamper with memory of the underlying kernel. On most other platforms, once attackers successfully exploit a kernel vulnerability they have full control of the compromised system.

On Apple devices equipped with these protections, such attackers are still unable to perform key post-exploitation techniques such as injecting malicious code into other processes, or modifying kernel code or sensitive kernel data. This powerful protection was bypassed by exploiting a vulnerability in the secret function. The protection, which has rarely been defeated in exploits found to date, is also present in Apple’s M1 and M2 CPUs.

The details are staggering:

Here is a quick rundown of this 0-click iMessage attack, which used four zero-days and was designed to work on iOS versions up to iOS 16.2.

Attackers send a malicious iMessage attachment, which the application processes without showing any signs to the user.
This attachment exploits the remote code execution vulnerability CVE-2023-41990 in the undocumented, Apple-only ADJUST TrueType font instruction. This instruction had existed since the early nineties before a patch removed it.
It uses return/jump oriented programming and multiple stages written in the NSExpression/NSPredicate query language, patching the JavaScriptCore library environment to execute a privilege escalation exploit written in JavaScript.
This JavaScript exploit is obfuscated to make it completely unreadable and to minimize its size. Still, it has around 11,000 lines of code, which are mainly dedicated to JavaScriptCore and kernel memory parsing and manipulation.
It exploits the JavaScriptCore debugging feature DollarVM ($vm) to gain the ability to manipulate JavaScriptCore’s memory from the script and execute native API functions.
It was designed to support both old and new iPhones and included a Pointer Authentication Code (PAC) bypass for exploitation of recent models.
It uses the integer overflow vulnerability CVE-2023-32434 in XNU’s memory mapping syscalls (mach_make_memory_entry and vm_map) to obtain read/write access to the entire physical memory of the device at user level.
It uses hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL). This was mitigated as CVE-2023-38606.
After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.
The web page has a script that verifies the victim and, if the checks pass, receives the next stage: the Safari exploit.
The Safari exploit uses CVE-2023-32435 to execute a shellcode.
The shellcode executes another kernel exploit in the form of a Mach object file. It uses the same vulnerabilities: CVE-2023-32434 and CVE-2023-38606. It is also massive in terms of size and functionality, but completely different from the kernel exploit written in JavaScript. Certain parts related to exploitation of the above-mentioned vulnerabilities are all that the two share. Still, most of its code is also dedicated to parsing and manipulation of the kernel memory. It contains various post-exploitation utilities, which are mostly unused.
The exploit obtains root privileges and proceeds to execute other stages, which load spyware. We covered these stages in our previous posts.

This is nation-state stuff, absolutely crazy in its sophistication. Kaspersky discovered it, so there’s no speculation as to the attacker.

Read More

The content of this post is solely the responsibility of the author.  AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. 

Virtual reality (VR) and augmented reality (AR) technologies capture everyone’s imagination with use cases and an unlimited potential for future implementations. While these concepts have been around for decades, they continue to be buzzwords with a fascinating flavor of science fiction. The truth is that the VR and AR combination is close to mainstream adoption these days, with plenty of examples of successful projects creating ripples in ecommerce, entertainment, and many other industries.

According to Statista, the global virtual reality and augmented reality market is worth $32.1 billion in 2023, and analysts predict it will exceed $58 billion by 2028. These appear to be conservative estimates, with another study forecasting growth up to a whopping $252 billion in the next four years.

Whereas these technologies aren’t susceptible to major malicious exploitation at this point, their skyrocketing popularity might encourage threat actors to come up with viable attack vectors in the near future. This article highlights some of the current security and privacy concerns that stem from the rising adoption of VR and AR technologies.

1. Eye tracking

Many people consider eye tracking in VR to be truly revolutionary. The logic of such a perspective is clear: this tech enhances the accuracy of virtual interaction and takes the user experience to a new level by helping interpret people’s emotions. It is also believed to give the security of VR systems a boost because eye scanning can refine biometric verification in the login workflows.

As useful as it is, glance tracking could also expose users to hidden monitoring and other privacy risks. For example, VR game makers may be tempted to embed advertisements in their products, similar to how sponsored information is shown in mobile games. If this is the case, eye tracking would be a perfect instrument for advertisers to figure out which ads draw your attention and which ones you ignore.

As per analysts’ findings, 95% of decisions to buy a product occur in the subconscious mind. By snooping on a user’s visual response, marketers may be able to derive conclusions regarding their preferences and dislikes. The flip side is that such a technology could potentially play into unscrupulous parties’ hands as a powerful surveillance instrument.

2. Blackmail and harassment

Adult entertainment is one of the most popular areas of the virtual reality industry. According to a relevant study, the VR adult content market will see a staggering rise from $716 million in 2021 to $19 billion in 2026. Cybercriminals may try to cash in on this hype by engaging in what’s known as “sextortion”. The idea is to deceive users into thinking that the malefactors have some embarrassing evidence of their private pastimes and instruct them to send money in exchange for not disclosing this information.

In some cases, the scammers may even include a valid password for one of the user’s web accounts so that the blackmail message appears true. Bear in mind that they obtained these authentication details from a large-scale data breach that occurred in the past. While these emails contain nothing but empty threats, receiving one is a frustrating experience.

However, while most sextortion attempts are not serious, there could be serious predicaments based on actual hacking. The crooks may deposit spyware onto your device that will keep tabs on everything you type and watch online. If so, they won’t fail to take advantage of the surreptitiously harvested information. One of the best practice tips to avoid this type of attack is to refrain from clicking ads on adult sites.

3. Modifying reality

Whereas virtual reality tends to overshadow augmented reality in terms of the wow effect, the latter is more common in our day-to-day lives. The wearable Apple Vision Pro “spatial computing” device, announced last June and set to become available for the general public in 2024, is an example of truly breakthrough tech in this area.

Today, most AR head-mounted displays show the screen of one’s smartphone on the lenses. However, as time goes by, their sophistication will grow. This is the case with Apple’s upcoming gadget mentioned above, which will visually and audibly integrate digital content into the wearer’s real-world surroundings.

In theory, AR devices may be able to make people around us look like somebody else. They could also distort the way real-world objects appear to the viewer. A simulation of a movie theater experience when you are actually in front of your TV at home is another possible scenario.

The biggest downside of this imminent progress is that criminals will certainly do their best to abuse it. Imagine an instance where offenders hack your AR gadget and alter what you see through it. This may allow them to perpetrate scams by impersonating a person you know and trust. They may even cause serious physical harm, tricking car drivers into thinking the road goes straight when it actually makes a sharp turn.

The good news is that it’s more of a science fiction so far. However, you never know what the future holds.

4. Deepfakes

The scourge of fake identities may also undermine the security of the VR ecosystem. With artificial intelligence and facial recognition technologies rapidly evolving, criminals may create an illusion that an impostor in a video is an entirely different person. This image synthesis technique is referred to as deepfake.

At this point, it may be possible to distinguish such a forged video from a genuine one, but the increasingly effective motion tracking sensors built into VR systems can potentially refine the deepfake tech and make the faux footage look much more realistic. If you happen to think this is a matter of the distant future, Facebook can prove you wrong. Since 2019, the social media giant has been working on virtual reality avatars that mimic anyone’s appearance and movements with amazing precision.

Deepfakes can become a powerful instrument in stratagems orchestrated by malicious actors. For instance, a phony celebrity endorsement is likely to encourage many people to invest in a fraudulent initiative, such as a cryptocurrency ICO (Initial Coin Offering). Fake political statements can also call forth serious international conflicts that aren’t easy to resolve afterward.

Roadmap to safety

There’s no “silver bullet” technique to secure one’s VR or AR experience.  This is largely a matter of vigilance combined with regular security and privacy measures that apply to any digital ecosystem you engage with. Here are a few tips that should point you in the right direction.

Read the fine print

Privacy policies can be tedious to peruse, but the provisions in these documents are worth examining before you opt for the service. Focus on figuring out what types of personal data these companies collect and how exactly they handle it. Find out whether they share your information with third parties.

Don’t overshare personal information

Refrain from disclosing sensitive data within VR or AR environments if there is no such necessity. For instance, use pseudonyms and don’t share your financial information unless you are buying something. Consider using a reputable personal data removal service such as DeleteMe to stay on top of your online footprint and tidy up whatever doesn’t belong on the publicly accessible internet.

Follow safe online practices

A worthwhile method to keep your identity and sensitive data intact on the Internet is to use a VPN tool. Additionally, if you decide to join some online communities dedicated to VR and AR, exercise reasonable caution with these sites and don’t plunge headlong into following recommendations from strangers, especially if they tell you to download something. Make sure you use reliable Internet security software that will inspect every link you click for malicious characteristics in real time.

Manage permissions

An overprivileged app or service is always a source of potential risk. Keep the set of these permissions to a reasonable minimum and disable the ones that the application doesn’t require for its core functionality.

Use strong authentication

If the VR or AR system requires user accounts, specify strong and unique passwords. Don’t reuse these credentials across different services and enable two-factor authentication if available to add an extra layer of security and privacy.

Be mindful of physical surroundings

Spatial mapping and sensors in AR devices may capture details of your physical environment. Consider the implications of this and take heed of the surroundings while using the technology to avoid location tracking and other privacy ramifications.

Check for security certifications

When purchasing VR or AR hardware, look for devices that adhere to security and privacy standards. Check for certifications or endorsements from trusted organizations.

Going forward

The promise of immersive experiences through VR and AR coexists with the imperative to maintain a proper level of security and privacy. From biometric data collection to spatial mapping, awareness of the potential risks when engaging with this data-intensive territory should encourage users to stay cautious. Technological progress comes with its pitfalls, so it’s better to be prepared than not.

Read More

Emsisoft has called for a complete ban on ransomware payments after another record-breaking year of attacks

Read More

A Nigerian man is facing a 100-year jail term after being arrested on multimillion-dollar BEC charges

Read More