Your iPhone Is Vulnerable to a Malware Attack Even When It’s Off

Researchers found a way to exploit the tech that enables Apple’s Find My feature, which could allow attackers to track location when a device is powered down.

When you turn off an iPhone, it doesn’t fully power down. Chips inside the device continue to run in a low-power mode that makes it possible to locate lost or stolen devices using the Find My feature or use credit cards and car keys after the battery dies. Now researchers have devised a way to abuse this always-on mechanism to run malware that remains active even when an iPhone appears to be powered down.

It turns out that the iPhone’s Bluetooth chip—which is key to making features like Find My work—has no mechanism for digitally signing or even encrypting the firmware it runs. Academics at Germany’s Technical University of Darmstadt figured out how to exploit this lack of hardening to run malicious firmware that allows the attacker to track the phone’s location or run new features when the device is turned off.

The research is the first—or at least among the first—to study the risk posed by chips running in low-power mode. Not to be confused with iOS’s low-power mode for conserving battery life, the low-power mode (LPM) in this research allows chips responsible for near-field communication, ultra wideband, and Bluetooth to run in a special mode that can remain on for 24 hours after a device is turned off.

“The current LPM implementation on Apple iPhones is opaque and adds new threats,” the researchers wrote in a paper published last week. “Since LPM support is based on the iPhone’s hardware, it cannot be removed with system updates. Thus, it has a long-lasting effect on the overall iOS security model. To the best of our knowledge, we are the first who looked into undocumented LPM features introduced in iOS 15 and uncover various issues.”

Read more: Researchers devise iPhone malware that runs even when device is turned off | Ars Technica

https://www.wired.com/story/iphone-find-my-malware-attack-vulnerability/

Millions of Attacks Target Tatsu Builder Plugin

The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022 by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin. Tatsu Builder is a proprietary plugin that is not listed on the WordPress.org repository, so reliable installation counts are not available, but we estimate that the plugin has between 20,000 and 50,000 installations. Tatsu sent an urgent email notification to all of their customers on April 7th advising them to update, but we estimate that at least a quarter of remaining installations are still vulnerable.

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against attackers trying to exploit this vulnerability.

We began seeing attacks on May 10, 2022. The attacks are ongoing with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022. The attack volume has declined but the attacks are still ongoing at the time of publication.

Details at: https://www.wordfence.com/blog/2022/05/millions-of-attacks-target-tatsu-builder-plugin

Massive WordPress JavaScript Injection Campaign Redirects to Ads 

Sucuri’s remediation and research teams regularly find malicious redirects on client sites. These infections automatically redirect site visitors to third-party websites with malicious resources, scam pages, or commercial websites with the intention of generating illegitimate traffic.

As outlined in Sucuri’s latest hacked website report, they’ve been tracking a long-lasting campaign responsible for injecting malicious scripts into compromised WordPress websites. This campaign leverages known vulnerabilities in WordPress themes and plugins and has impacted an enormous number of websites over the year — for example, according to PublicWWW (May 2022), the April wave for this campaign was responsible for over 9,300 infected websites alone.

Since these PublicWWW results only show detections for simple script injections, we can assume that the scope is significantly larger.

Investigating Obfuscated JavaScript in WordPress Sites

We recently investigated a number of WordPress websites complaining about unwanted redirects. Interestingly enough, they were found to be related to a new wave of this massive campaign and were sending website visitors through a series of website redirects to serve them unwanted ads.

The websites all shared a common issue — malicious JavaScript had been injected within their website’s files and the database, including legitimate core WordPress files such as:

  • ./wp-includes/js/jquery/jquery.min.js
  • ./wp-includes/js/jquery/jquery-migrate.min.js

Once the website had been compromised, attackers had attempted to automatically infect any .js files with jQuery in the names. They injected code that begins with “/* trackmyposs*/eval(String.fromCharCode…”

Continue reading: https://blog.sucuri.net/2022/05/massive-wordpress-javascript-injection-campaign-redirects-to-ads.html

Cybercriminals are using SEO to improve the ranking of malicious PDFs on search results

In brief: Netskope’s new security report shows that there’s been a fivefold yearly increase in malicious PDF phishing downloads, with a lot of victims getting referred from search engines. Meanwhile, downloads of Microsoft Office files containing malware have returned to pre-Emotet levels.

Netskope, a security service edge provider, just published their new Cloud and Threat Report, which examines the past 12 months of malware downloads from the cloud and web.

Research shows that there’s been a 450 percent yearly increase in malicious PDF phishing downloads, with attackers using search engine optimization (SEO) techniques to improve the ranking of malicious PDF files on search engines such as Google and Bing.

These files often take the form of fake file sharing requests, fake invoices, or even fake Captchas that redirect users to phishing, spam, scam, and malware websites.

According to the report, most malware is being downloaded from within the same region as its victim in order to avoid geofencing filters. Over 80 percent of all malware downloads by victims in North America were downloaded from websites hosted there.

There are several other noteworthy findings in the report. Trojans continue to be effective, with 77 percent of malware downloads being Trojans. There is no single Trojan family that is globally dominant, with the top 10 families accounting for only 13 percent of all downloads.

Cybercriminals use a combination of web and cloud to target their victims, as 53 percent of malware downloads originate from traditional websites and the rest from cloud apps used for collaboration and webmail. Here, attackers can send messages to their victims through emails, direct messages, comments, and document shares.

Source: https://www.techspot.com/news/94547-cybercriminals-using-seo-improve-ranking-malicious-pdfs-search.html

Zero-click attacks explained, and why they are so dangerous

Zero-click attacks, especially when combined with zero-day vulnerabilities, are difficult to detect and becoming more common.

Zero-click attack definition

Zero-click attacks, unlike most cyberattacks, don’t require any interaction from the users they target, such as clicking on a link, enabling macros, or launching an executable. They are sophisticated, often used in cyberespionage campaigns, and tend to leave very few traces behind—which makes them dangerous.

Once a device is compromised, an attacker can choose to install surveillance software, or they can choose to enact a much more destructive strategy by encrypting the files and holding them for ransom. Generally, a victim can’t tell when and how they’ve been infected through a zero-click attack, which means users can do little to protect themselves.

How zero-click attacks work

Zero-click attacks have become increasingly popular in recent years, fueled by the rapidly growing surveillance industry. One of the most popular spyware is NSO Group’s Pegasus, which has been used to monitor journalists, activists, world leaders, and company executives. While it’s not clear how each victim was targeted, it is believed that at least a few of them have received a WhatsApp call they didn’t even have to answer.

Messaging apps are often targeted in zero-click attacks because they receive large amounts of data from unknown sources without requiring any action from the device owner. Most often, the attackers exploit a flaw in how data is validated or processed.

Other less-known zero-click attack types have stayed under the radar, says Aamir Lakhani, cybersecurity researcher at Fortinet’s FortiGuard Labs. He gives two examples: parser application exploits (“while a user views a picture in a PDF or a mail application, the attacker is silently exploiting a system without user clicks or interaction needed”) and “WiFi proximity attacks that seek to find exploits on a WiFi stack and upload exploit code into [the] user’s space [in the] kernel to remotely take over systems.”

Zero-click attacks often rely on zero-days, vulnerabilities that are unknown to the software maker. Not knowing they exist, the maker can’t issue patches to fix them, which can put users at risk. “Even very alert and aware users cannot avoid those double-whammy zero-day and zero-click attacks,” Lakhani says.

These attacks are often used against high-value targets because they are expensive. “Zerodium, which purchases vulnerabilities on the open market, pays up to $2.5M for zero-click vulnerabilities against Android,” says Ryan Olson, vice president of threat intelligence, Unit 42 at Palo Alto Networks.

Examples of zero-click attacks

The target of a zero-click attack can be anything from a smartphone to a desktop computer and even an IoT device. One of the first defining moments in their history happened in 2010 when security researcher Chris Paget demonstrated at DEFCON18 how to intercept phone calls and text messages using a Global System for Mobile Communications (GSM) vulnerability, explaining that the GSM protocol is broken by design. During his demo, he showed how easy it was for his international mobile subscriber identity (IMSI) catcher to intercept the mobile phone traffic of the audience.

Another early zero-click threat was discovered in 2015 when the Android malware family Shedun took advantage of the Android Accessibility Service’s legitimate functions to install adware without the user doing anything. “By gaining the permission to use the accessibility service, Shedun is able to read the text that appears on screen, determine if an application installation prompt is shown, scroll through the permission list, and finally, press the install button without any physical interaction from the user,” according to Lookout.

A year later, in 2016, things got even more complicated. A zero-click attack was implemented into the United Arab Emirates surveillance tool Karma, which took advantage of a zero-day found in iMessage. Karma only needed a user’s phone number or email address. Then, a text message was sent to the victim, who didn’t even have to click on a link to be infected.

Once that text arrived on an iPhone, the attackers were able to see photos, emails, and location data, among other items. The hacking unit that used this tool, dubbed Project Raven, included U.S. intelligence hackers who helped the United Arab Emirates monitor governments and human rights activists.

By the end of that decade, zero-click attacks were being noticed more often, as surveillance companies and nation-state actors started to develop tools that didn’t require any action from the user. “Attacks that we were previously seeing through links in SMS, moved to zero-click attacks by network injections,” says Etienne Maynier, technologist at Amnesty International.

Amnesty and the Citizen Lab worked on several cases involving NSO Group’s Pegasus spyware, which was linked to several murders, including that of the Washington Post journalist Jamal Khashoggi. Once installed on a phone, Pegasus can read text messages, track calls, monitor a victim’s location, access the device’s mic and camera, collect passwords, and gather information from apps.

Khashoggi and his close ones were not the only victims. In 2019, a flaw in WhatsApp was exploited to target civil society and political figures in Catalonia. The attack started with a video call made on WhatsApp to the victim. Answering the call wasn’t necessary, as the data sent to the chat app wasn’t sanitized properly. This allowed the Pegasus code to be executed on the target device, effectively installing the spyware software. WhatsApp has since patched this vulnerability and has notified 1,400 users who have been targeted.

Another sophisticated zero-click attack associated with NSO Group’s Pegasus was based on a vulnerability in Apple’s iMessage. In 2021, Citizen Lab found traces of this exploit being used to target a Saudi activist. This attack relies on an error in the way GIFs are parsed in iMessage and disguises a PDF document containing malicious code as a GIF. In its analysis of the exploit, Google Project Zero stated, “The most striking takeaway is the depth of the attack surface reachable from what would hopefully be a fairly constrained sandbox.” The iMessage vulnerability was fixed on September 13, 2021, in iOS 14.8.

Zero-click attacks don’t only target phones. In 2021, a zero-click vulnerability gave unauthenticated attackers full control over Hikvision security cameras. Later the same year, a flaw in Microsoft Teams was proved to be exploitable through a zero-click attack that gave hackers access to the target device across major operating systems (Windows, MacOS, Linux).

How to detect and mitigate zero-click attacks

Realistically, knowing if a victim is infected is quite tricky, and protecting against a zero-click attack is almost impossible. “Zero-click attacks are way more common than we thought,” says Maynier. He recommends potential targets encrypt all their data, update their devices, have strong passwords, and do everything in their power to protect their digital lives. There’s also something else he tells them: “Consider that they may be compromised and adapt to that.”

Still, users can do a few things to minimize the risk of being spied on. The simplest one is to restart the phone periodically if they own an iPhone. Experts at Amnesty have shown that this could potentially stop Pegasus from working on iOS—at least temporarily. This has the advantage of disabling any code running that has not achieved persistence. However, the disadvantage is that rebooting the device may erase the signs that an infection has occurred, making it much harder for security researchers to determine whether a device has been targeted with Pegasus.

Users should also avoid jailbreaking their devices, because it removes some of the security controls that are built into the firmware. In addition to that, since they can install unverified software on a jailbroken device, this opens them up to installing vulnerable code that might be a prime target for a zero-click attack.

As always, maintaining good security hygiene can help. “Segmentation of networks, applications, and users, use of multifactor authentication, use of strong traffic monitoring, good cybersecurity hygiene, and advanced security analytics may prove to slow down or mitigate risks in specific situations,” says Lakhani. “[These] will also make post-exploitation activities difficult for attackers, even if they do compromise [the] systems.”

Maynier adds that high-profile targets should segregate data and have a device only for sensitive communications. He recommends users keep “the smallest amount of information possible on their phone (disappearing messages are a very good tool for that)” and leave it out of the room when they have important face-to-face conversations.

Organizations such as Amnesty and Citizen Lab have published guides instructing users to connect their smartphone to a PC and check to see whether they have been infected with Pegasus. The software used for this, Mobile Verification Toolkit, relies on known Indicators of Compromise such as cached favicons and URLs present in SMS messages. A user does not have to jailbreak their device to run this tool.

Also, Apple and WhatsApp have both sent messages to people who might have been targeted by zero-click attacks that aimed to install Pegasus. After that, some of them reached out to organizations such as Citizen Lab to further analyze their devices.

Yet technology alone won’t solve the problem, says Amnesty’s Maynier. “This is ultimately a question of policy and regulation,” he adds. “Amnesty, EDRi and many other organizations are calling for a global moratorium on the use, sale, and transfer of surveillance technology until there is a proper human rights regulatory framework in place that protects human rights defenders and civil society from the misuse of these tools.”

The policy answers will have to cover different aspects of this problem, he says, from export control to mandatory human rights due diligence for companies. “We need to put a stop on these widespread abuses first,” Maynier adds.

Source: https://www.csoonline.com/article/3660055/zero-click-attacks-explained-and-why-they-are-so-dangerous.html

New WordPress sites getting hacked ‘within seconds’ of TLS certificates being issued

Attackers pounce before site owners can activate the installation wizard.

Attackers are abusing the Certificate Transparency (CT) system to compromise new WordPress sites in the typically brief window of time before the content management system (CMS) has been configured and therefore secured.

CT is a web security standard for monitoring and auditing TLS (aka SSL) certificates, which are issued by certificate authorities (CAs) to validate websites’ identity.

First implemented by the DigiCert CA in 2013, the standard mandates that CAs immediately record all newly issued certificates on public logs in the interests of transparency and the prompt discovery of rogue or misused certificates.

However, evidence is growing that malicious hackers are monitoring these logs in order to detect new WordPress domains and configure the CMS themselves after web admins upload the WordPress files, but before they manage to secure the website with a password.

Multiple testimonies have emerged detailing sites being hacked within minutes – within seconds, even – of TLS certificates being requested.

Domain owners report the appearance of a malicious file (/wp-includes/.query.php) and sites being press-ganged into joining DDoS attacks.

More details at: https://portswigger.net/daily-swig/wordpress-sites-getting-hacked-within-seconds-of-tls-certificates-being-issued

Google can now remove search results containing your phone number, address, or email

Helping to prevent doxxing

What just happened? You can find out a lot about a person just by Googling their name, but Google is now letting people remove more of their personal information from these results that could pose a danger, including physical addresses, phone numbers, and passwords.

Google has long allowed people to request certain sensitive, personally identifiable content be removed from its search results, such as confidential government identification, images of handwritten signatures, and bank account/credit card details.

Now, Google has expanded its list to include images of ID docs, confidential login credentials, and personal contact info (physical addresses, phone numbers, and email addresses). Additionally, Google will remove non-consensual explicit or intimate personal images, Deepfakes, images of minors, and doxxing content, which requires explicit or implicit threats or explicit or implicit calls to action for others to harm or harass.

“Research has told us there’s a larger amount of personally identifiable information that users consider as sensitive,” Michelle Chang, global policy lead for Google search, told Reuters. “They are increasingly unwilling to tolerate this content online.”

Asking Google to remove something from its search results involves sending in URLs that include your personal information and search pages that surface the links. The company will then decide if it warrants removal from the search results but warns that it will try to preserve anything newsworthy, professionally relevant, from the government (part of the public record), or is determined to be in the public interest.

Google does remind people that the information is only being removed from its search results, not from the sites hosting it, and can be surfaced through other search engines.

Google approves only about 13% of the tens of thousands of removal requests it receives each year, though it expects the removal rate to increase in light of the expanded options.

Source: https://www.techspot.com/news/94388-google-can-now-remove-search-results-containing-phone.html

You Need to Update iOS, Android, and Chrome Right Now

APRIL HAS BEEN a big month for security updates, including emergency patches for Apple’s iOS and Google Chrome to fix vulnerabilities already being used by attackers.

Microsoft has released important fixes as part of its mid-April Patch Tuesday, while Android users across multiple devices need to make sure they are applying the latest update when it becomes available.

Apple iOS and iPadOS 15.4.1, macOS 12.3.1

Just two weeks after the launch of iOS 15.4, Apple issued iOS and iPad 15.4.1 to fix a vulnerability in AppleAVD that’s already being used to attack iPhones. By exploiting the vulnerability, labeled CVE-2022-22675, adversaries could execute arbitrary code with kernel privileges via an app, according to Apple’s support page. This could give an attacker full control over your device, so it’s important to apply the fix.

As an added bonus, iOS and iPadOS 15.4.1 fixes a battery drain issue affecting some iPhones on iOS 15.4. The updates are available for iPhone 6s and later, iPad Pro, iPad Air 2 and later, iPad 5th generation and later, iPad mini 4 and later, and iPod touch 7th generation.

Meanwhile, macOS Monterey 12.3.1 fixes the same issue in macOS, as well as another vulnerability in the Intel graphics driver, CVE-2022-22674, which could allow an app to read kernel memory. It’s another important fix—Apple says the issue may have been exploited by attackers.

Apple also released tvOS 15.4.1 and watchOS 8.5.1 including bug fixes.

Apple updates have been coming thick and fast over the past year, with the iPhone maker fixing a number of significant vulnerabilities, including the zero-click issue exploited by the Pegasus spyware, the highly targeted malware developed by Israeli firm NSO Group. This was the subject of a recent report by security researchers at Citizen Lab, who have detailed how Pegasus and other similar zero-click attacks targeted members of the European Parliament, legislators, political activists, and civil society organizations.

A zero-click attack is particularly scary because, as the name implies, it requires no interaction to work. That means an image sent via iMessage could infect your iPhone with spyware.

Citizen Lab detailed a previously undisclosed iOS zero-click vulnerability called HOMAGE used by NSO Group. Some iOS versions prior to iOS 13.2 could be at risk, making it all the more important your iPhone is up to date.Android’s April 2022 Patches

Android users also need to be on alert, as Google has patched 44 flaws in its mobile operating system this month. According to Google’s Android Security Bulletin, the most severe issue in the framework component could allow local privilege escalation without any interaction from the user.

The update is split into two parts: the 2022-04-01 security patch level for most Android devices, and the 2022-04-05 security patch level applying to specific phones and tablets. The later of the two fixes 30 issues in system and kernel components, among other areas. There are also patches for five security issues specific to Google’s Pixel smartphones, one of which could allow an app to escalate privileges and execute code on certain versions of Linux.

To find the update, you’ll need to check your device settings. Devices that have received the Android April update so far include Google’s Pixel devices and some third-party Android phones, including the Samsung Galaxy A32 5G, A51, A52 5G, A53 5G, A71, S10 series, S20 series, Note20 series, Z Flip 5G, Z Flip3, Z Fold, Z Fold2, and the Z Fold3, as well as the OnePlus 9 and OnePlus 9 Pro.Google Chrome Emergency Updates

As the world’s biggest browser with over 3 billion users, it’s no surprise attackers are targeting Google Chrome. Browser-based attacks are particularly worrying because they can potentially be chained together with other vulnerabilities and used to take over your device.

It has been a particularly busy month for the team behind Google’s Chrome browser, which has seen several security updates within weeks of each other. The latest, pushed out in mid-April, fixes two issues including a high-severity zero-day vulnerability, CVE-2022-1364, which is already being used by attackers.

The technical details aren’t currently available, but the timing of the fix—just a day after it was reported—indicates it’s pretty serious. If you use Chrome, your browser should now be on version 100.0.4896.127 to include the fix. You’ll need to restart Chrome after the update has installed to ensure it activates.

The Chrome issue also impacts other Chromium-based browsers, including Brave, Microsoft Edge, Opera, and Vivaldi, so if you use one of those, make sure you apply the patch.

But that’s not all. On April 27, Google announced another Chrome update, fixing 30 security vulnerabilities. None of these have been exploited yet, the company says, but seven are rated as being a high risk. The update takes the browser to version 101.0.4951.41.

Microsoft’s Busy April Patch Tuesday

Microsoft had a major Patch Tuesday in April, issuing fixes for over 100 vulnerabilities, including 10 critical RCE flaws. One of the most important, CVE-2022-24521, is already being exploited by attackers, according to the company.

Reported by the NSA and researchers at CrowdStrike, the issue in the Windows Common Log File system driver doesn’t require human interaction to be exploited and can be used to obtain administrative privileges on a logged-in system. Other notable fixes include CVE-2022-26904—a publicly known issue—and CVE-2022-26815, a severe DNS Server flaw.

Mozilla Thunderbird 91.8.0 Fix

On April 5, Mozilla released a patch to fix security issues in its Thunderbird email client as well as its Firefox browser. The details are scant, but Thunderbird 91.8 fixes four vulnerabilities rated as having a high impact, some of which could be exploited to run arbitrary code.

Firefox ESR 91.8 and Firefox 99 also fix multiple security issues.

Source: https://www.wired.com/story/ios-android-chrome-updates-april-2022/

PHP Object Injection Vulnerability in Booking Calendar Plugin

On April 18, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for an Object Injection vulnerability in the Booking Calendar plugin for WordPress, which has over 60,000 installations.

They received a response the same day and sent over their full disclosure early the next day, on April 19, 2022. A patched version of the plugin, 9.1.1, was released on April 21, 2022.

As usual, all our ProtectYourWP clients who use this plugin were updated to the patched version within 24 hrs of its release.

Source: https://www.wordfence.com/blog/2022/04/php-object-injection-in-booking-calendar-plugin

Critical Remote Code Execution Vulnerability in Elementor

WordFence discovered a critical vulnerability in the Elementor plugin that allowed any authenticated user to upload arbitrary PHP code. Elementor is one of the most popular WordPress plugins and is installed on over 5 million websites.

A patched version of the plugin, 3.6.3, was released on April 12, 2022.

This is a critical vulnerability that allows any authenticated user to upload and execute malicious code on a site running a vulnerable version of the Elementor plugin. The good news is that the vulnerability is not present in versions prior to 3.6.0 and was successfully patched in 3.6.3.

Source: https://www.wordfence.com/blog/2022/04/elementor-critical-remote-code-execution-vulnerability