ZDI-24-206: Apple macOS ImageIO MPO Parsing Out-Of-Bounds Read Information Disclosure Vulnerability

Read Time:16 Second

This vulnerability allows remote attackers to disclose sensitive information on affected installations of Apple macOS. Interaction with the ImageIO library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The ZDI has assigned a CVSS rating of 3.3. The following CVEs are assigned: CVE-2023-42888.

Read More

ZDI-24-207: Apple macOS VideoToolbox Out-Of-Bounds Write Remote Code Execution Vulnerability

Read Time:18 Second

This vulnerability allows remote attackers to execute arbitrary code on affected installations of Apple macOS. User interaction is required to exploit this vulnerability in that the target must receive a malicious image file that is written to the local filesystem. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2023-42902.

Read More

Introducing Social Privacy Manager

Read Time:6 Minute, 37 Second

If you’re concerned about your privacy on social media, you have plenty of company. Here’s something else you have — a great way to lock it down. 

Just how concerned are people about their privacy on social media? We asked. Worldwide, 73% of social media users said they’re highly concerned with their security and privacy on social media platforms.  

And for parents of teens, those concerns about privacy on social media weigh even heavier. Fresh insights published by Pew Research[i] reveal that nearly 1 in 5 teens in the U.S. said they’re on YouTube and TikTok “almost constantly.”  

 

With social media usage and privacy concerns so high, we created McAfee’s Social Privacy Manager. 

If you’ve ever taken a dive into the privacy settings on your social media accounts, you know just how deep they can go.  And if you haven’t, it can involve dozens of individual menus and settings. In all, it can get tricky when it comes time to setting them the way you like. It’s a lot of work. Plenty of work when you consider how platforms change and update their settings over time.  

Our Social Privacy Manager does that work for you, automatically adjusting more than 100 privacy settings across all the accounts you choose. As a result, you can reduce the amount of data being collected and ensure your info is only visible to the people you want to share it with — which can help keep your personal info out of the wrong hands. As we’ll see, social media provides a wealth of info that hackers and scammers can potentially use against you. 

That’s why privacy on social media matters so much. Let’s start with a look at what bad actors are up to on social media and at how much time teens are spending on it. From there, we’ll hop into how quickly and easily McAfee’s Social Privacy Manager can help keep you and your family far safer than before.  

Social media – the goldmine for hackers and scammers 

For some time, we’ve seen how hackers and scammers use social media to fuel their attacks and scams. It’s an open book. A book about you. Your likes, your life, not to mention the photos of where you go, what you like to do, and who you do it with. That info is as good as gold for hackers and scammers. 

With that exacting kind of info, bad actors out there can commit identity theft and cook up phishing scams using relevant info about you. An analogy explains how. Your identity is like a puzzle, and various pieces of personal info are the pieces. With enough pieces, a bad actor can put together a puzzle picture of you. One that’s complete just enough to open a loan, make an insurance claim, or pose as you in some way.  

For those pieces, they’ll turn to info found on the dark web, info readily available from online data brokers, and yet more info from social media. Already, we have products and features that protect your identity on the dark web and that help remove your info from sketchy data broker sites. Now, our Social Privacy Manager helps you shut down one more source of info from bad actors — a source they successfully tap into. 

According to the U.S. Federal Trade Commission (FTC), scammers recently used social media as a contact method in 11% of the fraud and identity theft cases where victims cited a method.  

Source: FTC 

While that figure finds itself somewhat in the middle of the pack in terms of contact methods, it was the second-most effective method as it led to a loss 61% of the time. Only ads and pop-ups worked more effectively at 63%, making social media a goldmine for hackers and scammers indeed. 

Social media privacy — it’s a family matter too. 

Earlier, we mentioned just how much time teens spend on social media. Taking a deeper dive into the numbers provided by Pew Research, we can see a couple of things — the top platforms they use and how often they use them: 

YouTube absolutely leads the way with 93% of U.S. teens using that social media platform. Right behind it, TikTok, Snapchat, and Instagram. Also on this chart, you can spot the steep ten-year decline of Facebook and Twitter (X), a particularly precipitous drop for Facebook of more than half. 

As for how often teens visit these platforms daily, the same names follow in order. YouTube takes the number one spot yet again, with 71% of teens saying they use it daily. In all, teens are telling us that social media factors into a large part of their day. “Almost constantly” for some.  

From a parental standpoint, the privacy implications are clear. High use leads to high exposure and the potential privacy risks that follow. Not to mention possible exposure to scams just as adult social media users might encounter. 

Without question, this makes privacy on social media a family matter.  

Now for the good news – how to make yourself more private on social media. 

While social media provides bad actors with another avenue to commit crimes online, you can still use social media safely in a way that reduces your risk. 

With our Social Privacy Manager, you can determine what you do and don’t want to share. It scans the accounts you enter and offers suggestions that can improve your privacy. You select which ones you want to enable, and the app makes the updates with a single click.  

Making it even simpler, you can also secure your privacy based on what kind of social media user you are. Whether you just tend to hang back, explore, or put yourself out there a bit more, there’s a privacy setting for you. And if you change your mind, it can help change your settings whenever you like. 

If it all seems rather straightforward and simple, it is. We designed it so that you don’t have to dig through menu after menu to uncover every setting and then make the informed choice you want to make. The app does the work for you. And you can run it any time and update your settings as you like. In fact, we suggest running checks regularly as platforms can and do change their privacy settings and policies. 

And as we saw above, teens are on social media. A lot. Note that you can use our Social Privacy Manager on the accounts your teens have too. It’s just a matter of running through the same steps with each of their accounts.  This way, everyone in the family can boost their privacy on social media. 

You can find McAfee’s Social Privacy Manager in our McAfee+ online protection plans. In conjunction with a host of other features like Identity Monitoring and Personal Data Cleanup, you can thoroughly protect your privacy and identity. On social media and anywhere else your travels take you online. 

You can take a peek of Social Privacy Manager here: 

 

Want to be more private on social media? Now you can, more easily than before. 

In all, the last several years have seen numerous advances that make it easier, and quicker, to protect your privacy and identity. Old, manual processes that were spread out across umpteen sites and services are now automatic. And guided too. McAfee’s Social Privacy Manager stands as yet one more of those advances. 

True, going online carries its risks. Social media complicates them more so. Yet you can reduce those risks, significantly so. You really can lock down your privacy. Quickly and easily, for you and your family. 

[i] https://www.pewresearch.org/internet/2023/12/11/teens-social-media-and-technology-2023/  

 

 

The post Introducing Social Privacy Manager appeared first on McAfee Blog.

Read More

FBI’s LockBit Takedown Postponed a Ticking Time Bomb in Fulton County, Ga.

Read Time:9 Minute, 35 Second

The FBI’s takedown of the LockBit ransomware group last week came as LockBit was preparing to release sensitive data stolen from government computer systems in Fulton County, Ga. But LockBit is now regrouping, and the gang says it will publish the stolen Fulton County data on March 2 unless paid a ransom. LockBit claims the cache includes documents tied to the county’s ongoing criminal prosecution of former President Trump, but court watchers say teaser documents published by the crime gang suggest a total leak of the Fulton County data could put lives at risk and jeopardize a number of other criminal trials.

A new LockBit website listing a countdown timer until the promised release of data stolen from Fulton County, Ga.

In early February, Fulton County leaders acknowledged they were responding to an intrusion that caused disruptions for its phone, email and billing systems, as well as a range of county services, including court systems.

On Feb. 13, the LockBit ransomware group posted on its victim shaming blog a new entry for Fulton County, featuring a countdown timer saying the group would publish the data on Feb. 16 unless county leaders agreed to negotiate a ransom.

“We will demonstrate how local structures negligently handled information protection,” LockBit warned. “We will reveal lists of individuals responsible for confidentiality. Documents marked as confidential will be made publicly available. We will show documents related to access to the state citizens’ personal data. We aim to give maximum publicity to this situation; the documents will be of interest to many. Conscientious residents will bring order.”

Yet on Feb. 16, the entry for Fulton County was removed from LockBit’s site without explanation. This usually only happens after the victim in question agrees to pay a ransom demand and/or enters into negotiations with their extortionists.

However, Fulton County Commission Chairman Robb Pitts said the board decided it “could not in good conscience use Fulton County taxpayer funds to make a payment.”

“We did not pay nor did anyone pay on our behalf,” Pitts said at an incident briefing on Feb. 20.

Just hours before that press conference, LockBit’s various websites were seized by the FBI and the U.K.’s National Crime Agency (NCA), which replaced the ransomware group’s homepage with a seizure notice and used the existing design of LockBit’s victim shaming blog to publish press releases about the law enforcement action.

The feds used the existing design on LockBit’s victim shaming website to feature press releases and free decryption tools.

Dubbed “Operation Cronos,” the effort involved the seizure of nearly three-dozen servers; the arrest of two alleged LockBit members; the release of a free LockBit decryption tool; and the freezing of more than 200 cryptocurrency accounts thought to be tied to the gang’s activities. The government says LockBit has claimed more than 2,000 victims worldwide and extorted over $120 million in payments.

UNFOLDING DISASTER

In a lengthy, rambling letter published on Feb. 24 and addressed to the FBI, the ransomware group’s leader LockBitSupp announced that their victim shaming websites were once again operational on the dark web, with fresh countdown timers for Fulton County and a half-dozen other recent victims.

“The FBI decided to hack now for one reason only, because they didn’t want to leak information fultoncountyga.gov,” LockBitSupp wrote. “The stolen documents contain a lot of interesting things and Donald Trump’s court cases that could affect the upcoming US election.”

A screen shot released by LockBit showing various Fulton County file shares that were exposed.

LockBit has already released roughly two dozen files allegedly stolen from Fulton County government systems, although none of them involve Mr. Trump’s criminal trial. But the documents do appear to include court records that are sealed and shielded from public viewing.

George Chidi writes The Atlanta Objective, a Substack publication on crime in Georgia’s capital city. Chidi says the leaked data so far includes a sealed record related to a child abuse case, and a sealed motion in the murder trial of Juwuan Gaston demanding the state turn over confidential informant identities.

Chidi cites reports from a Fulton County employee who said the confidential material includes the identities of jurors serving on the trial of the rapper Jeffery “Young Thug” Williams, who is charged along with five other defendants in a racketeering and gang conspiracy.

“The screenshots suggest that hackers will be able to give any attorney defending a criminal case in the county a starting place to argue that evidence has been tainted or witnesses intimidated, and that the release of confidential information has compromised cases,” Chidi wrote. “Judge Ural Glanville has, I am told by staff, been working feverishly behind the scenes over the last two weeks to manage the unfolding disaster.”

LockBitSupp also denied assertions made by the U.K.’s NCA that LockBit did not delete stolen data as promised when victims agreed to pay a ransom. The accusation is an explosive one because nobody will pay a ransom if they don’t believe the ransomware group will hold up its end of the bargain.

The ransomware group leader also confirmed information first reported here last week, that federal investigators managed to hack LockBit by exploiting a known vulnerability in PHP, a scripting language that is widely used in Web development.

“Due to my personal negligence and irresponsibility I relaxed and did not update PHP in time,” LockBitSupp wrote. “As a result of which access was gained to the two main servers where this version of PHP was installed.”

LockBitSupp’s FBI letter said the group kept copies of its stolen victim data on servers that did not use PHP, and that consequently it was able to retain copies of files stolen from victims. The letter also listed links to multiple new instances of LockBit dark net websites, including the leak page listing Fulton County’s new countdown timer.

LockBit’s new data leak site promises to release stolen Fulton County data on March 2, 2024, unless paid a ransom demand.

“Even after the FBI hack, the stolen data will be published on the blog, there is no chance of destroying the stolen data without payment,” LockBitSupp wrote. “All FBI actions are aimed at destroying the reputation of my affiliate program, my demoralization, they want me to leave and quit my job, they want to scare me because they can not find and eliminate me, I can not be stopped, you can not even hope, as long as I am alive I will continue to do pentest with postpaid.”

DOX DODGING

In January 2024, LockBitSupp told XSS forum members he was disappointed the FBI hadn’t offered a reward for his doxing and/or arrest, and that in response he was placing a bounty on his own head — offering $10 million to anyone who could discover his real name.

After the NCA and FBI seized LockBit’s site, the group’s homepage was retrofitted with a blog entry called, “Who is LockBitSupp? The $10M question.” The teaser made use of LockBit’s own countdown timer, and suggested the real identity of LockBitSupp would soon be revealed.

However, after the countdown timer expired the page was replaced with a taunting message from the feds, but it included no new information about LockBitSupp’s identity.

On Feb. 21, the U.S. Department of State announced rewards totaling up to $15 million for information leading to the arrest and/or conviction of anyone participating in LockBit ransomware attacks. The State Department said $10 million of that is for information on LockBit’s leaders, and up to $5 million is offered for information on affiliates.

In an interview with the malware-focused Twitter/X account Vx-Underground, LockBit staff asserted that authorities had arrested a couple of small-time players in their operation, and that investigators still do not know the real-life identities of the core LockBit members, or that of their leader.

“They assert the FBI / NCA UK / EUROPOL do not know their information,” Vx-Underground wrote. “They state they are willing to double the bounty of $10,000,000. They state they will place a $20,000,000 bounty of their own head if anyone can dox them.”

TROUBLE ON THE HOMEFRONT?

In the weeks leading up to the FBI/NCA takedown, LockBitSupp became embroiled in a number of high-profile personal and business disputes on the Russian cybercrime forums.

Earlier this year, someone used LockBit ransomware to infect the networks of AN-Security, a venerated 30-year-old security and technology company based in St. Petersburg, Russia. This violated the golden rule for cybercriminals based in Russia and former soviet nations that make up the Commonwealth of Independent States, which is that attacking your own citizens in those countries is the surest way to get arrested and prosecuted by local authorities.

LockBitSupp later claimed the attacker had used a publicly leaked, older version of LockBit to compromise systems at AN-Security, and said the attack was an attempt to smear their reputation by a rival ransomware group known as “Clop.” But the incident no doubt prompted closer inspection of LockBitSupp’s activities by Russian authorities.

Then in early February, the administrator of the Russian-language cybercrime forum XSS said LockBitSupp had threatened to have him killed after the ransomware group leader was banned by the community. LockBitSupp was excommunicated from XSS after he refused to pay an arbitration amount ordered by the forum administrator. That dispute related to a complaint from another forum member who said LockBitSupp recently stiffed him on his promised share of an unusually large ransomware payout.

A posted by the XSS administrator saying LockBitSupp wanted him dead.

INTERVIEW WITH LOCKBITSUPP

KrebsOnSecurity sought comment from LockBitSupp at the ToX instant messenger ID listed in his letter to the FBI. LockBitSupp declined to elaborate on the unreleased documents from Fulton County, saying the files will be available for everyone to see in a few days.

LockBitSupp said his team was still negotiating with Fulton County when the FBI seized their servers, which is why the county has been granted a time extension. He also denied threatening to kill the XSS administrator.

“I have not threatened to kill the XSS administrator, he is blatantly lying, this is to cause self-pity and damage my reputation,” LockBitSupp told KrebsOnSecurity. “It is not necessary to kill him to punish him, there are more humane methods and he knows what they are.”

Asked why he was so certain the FBI doesn’t know his real-life identity, LockBitSupp was more precise.

“I’m not sure the FBI doesn’t know who I am,” he said. “I just believe they will never find me.”

It seems unlikely that the FBI’s seizure of LockBit’s infrastructure was somehow an effort to stave off the disclosure of Fulton County’s data, as LockBitSupp maintains. For one thing, Europol said the takedown was the result of a months-long infiltration of the ransomware group.

Also, in reporting on the attack’s disruption to the office of Fulton County District Attorney Fanny Willis on Feb. 14, CNN reported that by then the intrusion by LockBit had persisted for nearly two and a half weeks.

Finally, if the NCA and FBI really believed that LockBit never deleted victim data, they had to assume LockBit would still have at least one copy of all their stolen data hidden somewhere safe.

Read More