Apple has released security updates for iOS, iPadOS, macOS, visionOS, and its Safari web browser to address two zero-day flaws that have come under active exploitation in the wild.
The flaws are listed below -

CVE-2024-44308 - A vulnerability in JavaScriptCore that could lead to arbitrary code execution when processing malicious web content
CVE-2024-44309 - A cookie management vulnerability in

Apple Releases Urgent Updates to Patch Actively Exploited Zero-Day Vulnerabilities

Freshly released court documents reveal new details on controversial Israeli spyware firm's operations.

Source: Shubham singh 007 via Shutterstock

Israel's NSO Group may know a lot more about how customers use its Pegasus commercial spyware product than the company has let on, newly released court documents connected to a legal dispute with Meta's WhatsApp suggest.

In fact, NSO Group installed and operated the spyware on behalf of its customers, making the company directly liable for the spyware's use, WhatsApp lawyers said in one court filing, released Nov. 14 in the US District Court for the Northern District of California.

The court documents are part of a lawsuit that WhatsApp filed against NSO Group in October 2019 after discovering the Israeli firm had used WhatsApp servers to distribute Pegasus to some 1,400 mobile phones, including those belonging to journalists and rights activists.

The lawyers also claimed that NSO Group repeatedly developed and used exploits for abusing WhatsApp's servers to install Pegasus on target devices, including at least once after WhatsApp had sued the company over the issue.

**NSO 'Solely Responsible'**

"NSO is solely responsible for Pegasus’s unauthorized access to WhatsApp's servers," the social media giant noted in one briefing. "Despite what NSO has claimed, its customers had a minimal role in how the spyware tool operated or collected information. All that NSO Group customers typically had to do was enter their target's phone number, press install and wait for the malware to install on the target device without any further interaction," they noted.

Related:Trustwave-Cybereason Merger Boosts MDR Portfolio

"In other words, the customer simply places an order for a target device's data, and NSO controls every aspect of the data retrieval and delivery process through its design of Pegasus," WhatsApp's lawyers said. The company, in fact, was so aware of how customers were using its malware that it actually disconnected service to 10 customers for excessive abuse, the lawyers claimed.

**Controversial Surveillance Software**

Pegasus is a controversial mobile spyware designed to secretly monitor and extract data from iOS and Android smartphones. Once installed, Pegasus can intercept messages, emails, media, and passwords, and track location data, all while evading detection by antivirus software. NSO Group claims to sell the technology solely to authorized government agencies for legitimate law enforcement, crime-fighting, and anti-terror purposes. But critics argue that the tool has been misused, particularly in authoritarian regimes, to target journalists, human rights activists, political dissidents, and others critical of the government.  

Related:Xiphera & Crypto Quantique Announce Partnership

A 2021 database leak revealed that NSO Group customers had, at the time, targeted more than 50,000 phone numbers for surveillance in countries like Mexico, Hungary, and India. The US government formally blacklisted the company in 2021, meaning its ability to operate in the US or do business with US entities abroad is severely restricted.

The NSO Group has tried to get US courts to dismiss WhatsApp's lawsuit against the company, citing, among other things, a lack of jurisdiction and the fact that its clients are mostly governments and therefore are not doing anything illegal. WhatsApp lawyers have sought to portray NSO Group as indeed being liable for Pegasus by attempting to tie the vendor more directly to customer use of the spyware tool.

In the newly released court documents, WhatsApp has alleged that NSO Group repeatedly and deliberated worked around the mechanisms the company put in place to prevent misuse of the secure messaging platform. One of them was a modified WhatsApp client app called the WhatsApp Installation Server (WIS) that could access WhatsApp's back-end servers in ways its own client software could not. NSO Group then developed tools named Heaven and Eden to interact with WIS in such a way as to trigger Pegasus downloads on target phones via WhatsApp. The company developed Eden after WhatsApp discovered Heaven and put up blocks against it. When WhatsApp engineers discovered Eden, NSO developed and used yet another tool, called Erised, through 2020, or after WhatsApp had filed its lawsuit.

Related:North Korea's Andariel Pivots to 'Play' Ransomware Games

The WhatsApp lawsuit is one of several that NSO Group is currently battling in courts worldwide from organizations and individuals impacted by the malware. In September, Apple sought voluntary dismissal of a 2021 lawsuit it had filed against NSO Group, citing concerns over the company having to share information with the court that other spyware makers could abuse going forward.

Back when the lawsuit was filed, the NSO Group was among a handful of known purveyors of such mobile spyware software. Since then, there has been a sharp increase in the number of commercial spyware vendors, driven largely by demand from government agencies. A Google report earlier this year identified spyware vendors like NSO Group as being responsible for nearly half of all zero-day exploits it counted between mid-2014 and December 2023.

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

WhatsApp: NSO Group Operates Pegasus Spyware for Customers

The tangle of user-built tools is formidable to manage, but it can lead to a greater understanding of real-world business needs.

Source: Martin Harvey via Alamy Stock Photo

COMMENTARY

Shadow IT is what your business runs on while waiting for IT to provide an enterprise solution. It's your sales team buying licenses to an obscure software-as-a-service (SaaS) because it helps them get the job done. Or it's your finance team using an unapproved tool because the approved one is too clunky. Sometimes shadow IT exists specifically to bypass an overly annoying security mechanism — figuring out a way to forward business emails to your personal Gmail account because it's easier to view on mobile, for example.

You might hope shadow IT is a problem only for large enterprises, too big to centrally manage. My experience running a small startup suggests otherwise. We agonized over our choice of a productivity tools suite — considering pros and cons and balancing user experience with governability. And people are happy to use our tool of choice; they just also use other tools in parallel. We run on Google Workspace, but many of our employees use Office because they're used to it. We use Google Drive for file sharing, but we quickly learned some people prefer iCloud.

People's personal preferences play a significant role here. They want to get their jobs done, not worry about learning a new tool. Platforms make this tendency even worse. Many try to get you to use and rely on them for a long time before asking for added licensing. Consider local file saves on Windows or Mac. By default, every local file save actually gets saved in a directory backed up into Microsoft's or Apple's cloud.

A large enterprise might have more mature security controls to prevent use of unauthorized software, but it also has much more variety in the software people would like to use. The sheer size of an enterprise and the independence of different business units exacerbate the software spread even further. The standard industry security practice for controlling software usage combines bringing in security on every license purchase and restricting software and SaaS usage on the endpoint. While those tactics are useful, they are limited in scope. Paying out of pocket, which some users will do to get the software they want, bypasses enterprise procurement.

**Approved Apps Lead to Building Unapproved Apps**

Expanding the use of existing platforms into new and unapproved feature sets is even more pervasive. Did you purchase Office 365 for productivity or Salesforce for your sales reps? Congrats. You've now empowered your business users to build their own apps with the no-code/low-code platform bundled in. Unapproved uses of enterprise platforms also bypass SaaS usage controls. Enterprises can't block access to Microsoft or Salesforce, but through them users can send corporate data to unapproved systems.

With each new discovery of an unapproved system, the security team can either try to block it or bring it under their umbrella. Either way, it's an endless game of whack-a-mole. Some tools can help with this discovery, but they often lack context about how these systems are used and which are actually important to business functions.

What if we could ask every business user what systems they use in their day-to-day, regardless of corporate policies? And ask which of those are truly vital for the business? That could give us the ultimate list: a full mapping of shadow IT, coupled with its business importance. Unfortunately, that doesn't work — simply asking people likely won't result in a full list, and what end users find vital may be different from what management does.

**User-Built Tools Expose Shadow IT Network**

Enter citizen development, in which business users leverage low-code/no-code tools to streamline their processes, analyze their data, and build custom business applications for their use cases. To be relevant, these apps must connect to the data and processes that the business uses in practice. A citizen developer is not going to call IT to integrate their app with the approved corporate service; instead, they'll connect directly to what we call shadow IT.

Here's an example. Consider a sales team using an unapproved tool for lead tracking. To sync it with the approved CRM, they use no-code automation. By finding automations that connect to the CRM and following the data flow, we can easily find the unapproved tool and what type of data it holds.

Embracing citizen development can leave security teams at a much better spot — having visibility into what software the business actually runs on — if used right.

That "if" is very important. Citizen development introduces its fair share of security risks, which must be mitigated to avoid adverse effects. But by embracing citizen development, we're letting business users codify what used to be a copy-paste data integration. Following these processes will lead us directly to the most important elements of shadow IT.

**About the Author**

CTO & Co-Founder, Zenity

Michael Bargury is an industry expert in cybersecurity focused on cloud security, SaaS security, and AppSec. Michael is the CTO and co-founder of Zenity.io, a startup that enables security governance for low-code/no-code enterprise applications without disrupting business. Prior to Zenity, Michael was a senior architect at Microsoft Cloud Security CTO Office, where he founded and headed security product efforts for IoT, APIs, IaC, Dynamics, and confidential computing. Michael holds 15 patents in the field of cybersecurity and a BSc in Mathematics and Computer Science from Tel Aviv University. Michael is leading the OWASP community effort on low-code/no-code security.

To Map Shadow IT, Follow Citizen Developers

Plus: An “AI granny” is wasting scammers’ time, a lawsuit goes after spyware-maker NSO Group’s executives, and North Korea–linked hackers take a crack at macOS malware.

In perhaps the most adorable hacker story of the year, a trio of technologists in India found an innovative way to circumvent Apple’s location restrictions on AirPod Pro 2s so they could enable the earbuds’ hearing aid feature for their grandmas. The hack involved a homemade Faraday cage, a microwave, and a lot of trial and error.

On the other end of the tech-advancements spectrum, the US military is currently testing an AI-enabled machine gun that is capable of auto-targeting swarms of drones. The Bullfrog, built by Allen Control Systems, is one of several advanced weapons technologies in the works to combat the growing threat of cheap, small drones on the battlefield.

The US Department of Justice announced this week that an 18-year-old from California has admitted to making or orchestrating more than 375 swatting attacks across the United States.

Then, of course, there’s the Donald Trump of it all. This week, we published a practical guide to protecting yourself from government surveillance. WIRED has covered the dangers of government surveillance for decades, of course. But when the president-elect is explicitly threatening to jail his political enemies—whoever that may be—now’s probably a good time to brush up on your digital best practices.

In addition to potential dragnet surveillance of US citizens, US Immigration and Customs Enforcement started ramping up its surveillance arsenal the day after Trump won reelection. Meanwhile, experts are expecting the incoming administration to roll back cybersecurity rules instituted under president Joe Biden while taking a harder line against adversarial state-sponsored hackers. And if all this political upheaval has you in the mood to protest, beware: An investigation copublished by WIRED and The Marshall Project found that mask bans instituted in several states add a complicated new layer to exercising freedom of speech.

And that’s not all. Each week, we round up the privacy and security news we didn’t cover in depth ourselves. Click the headlines to read the full stories, and stay safe out there.

In August 2016, approximately 120,000 bitcoin—at the time worth around $71 million—were stolen in a hack on the Bitfinex cryptocurrency exchange. Then in 2022, as the value of cryptocurrency had rocketed skywards, law enforcement officials in New York arrested husband and wife Ilya Lichtenstein and Heather Morgan in relation to the hack and laundering the much-inflated $4.5 billion of stolen cryptocurrency. (At the time, $3.6 billion of the funds were recouped by law enforcement investigators.)

This week, after pleading guilty in 2023, Lichtenstein was sentenced to five years of jail time for conducting the hack and laundering the profits. With subsequent cryptocurrency spikes and additional seizures related to the hack, the US government has now been able to recover more than $10 billion in assets. A series of operational security failures by Lichtenstein made much of the illicit cryptocurrency easy for officials to seize, but investigators also applied sophisticated crypto-tracing methods to unpick how the funds had been stolen and subsequently moved around.

Aside from the brazen scale of the heist, Lichtenstein and Morgan gained online prominence and ridicule after their arrests due to a series of Forbes articles written by Morgan and rap videos posted to YouTube under the name of “Razzlekhan.” Morgan, who also pleaded guilty, is due to be sentenced on November 18.

**An ‘AI Granny’ Is Wasting Phone Scammers’ Time**

Scammers are increasingly adopting AI as part of their criminal toolkits—using the technology to create deepfakes, translate scripts, and make their operations more efficient. But artificial intelligence is also being turned against the scammers. British telecoms firm Virgin Media and its mobile operator O2 have created a new “AI granny” that can answer phone calls from scammers and keep them talking. The system uses different AI models, according to The Register, that listen to what a scammer says and respond immediately. In one case, the company says it kept a scammer on the line for 40 minutes and has fed others fake personal information. Unfortunately, the system (at least at the moment) can’t directly answer calls made to your phone; instead, O2 created a specific phone number for the system, which the company says it has managed to get placed in lists of numbers that scammers call.

**Alleged NSO Group Spyware Victim Adds NSO Founders and Executive to Lawsuit**

In a new legal strategy for those attempting to hold commercial spyware vendors responsible, lawyer Andreu Van den Eynde, who was allegedly hacked with NSO Group spyware, is directly accusing two of the company’s founders, Omri Lavie and Shalev Hulio, and one of its executives, Yuval Somekh, of hacking crimes in a lawsuit. The Barcelona-based human rights nonprofit Iridia announced this week that it filed the complaint in a Catalan court. Van den Eynde was reportedly a victim of a hacking campaign that used NSO’s notorious Pegasus spyware against at least 65 Catalans. Van den Eynde and Iridia originally sued NSO Group in a Barcelona court in 2022 along with affiliates Osy Technologies and Q Cyber Technologies. “The people responsible for NSO Group have to explain their concrete activities,” a legal representative for Iridia and Van den Eynde wrote in the complaint, which was written in Catalan and translated by TechCrunch.

**North Korea-Backed Hackers Are Exploring New macOS Malware**

Research published this week by the mobile device management firm Jamf found that hackers who have been linked to North Korea have been working to implant malware inside macOS applications built with a particular open-source software development kit. The campaigns focused on cryptocurrency-related targets and involved infrastructure similar to systems that have been used by North Korea’s notorious Lazarus Group. It’s unclear if the activity resulted in actual victim compromise or if it was still in a testing phase.

Financially motivated and state-backed hackers have less occasion to use malware targeting Apple’s Mac computers than hacking tools that infect Microsoft Windows or Linux desktops and servers. So when Mac malware crops up, it’s typically a niche point, but it can also be a revealing indicator of trends and priorities among hackers.

Bitfinex Hacker Gets 5 Years for $10 Billion Bitcoin Heist

According to Mozilla, users have a lot more power to manipulate ChatGPT than they might realize. OpenAI hopes those manipulations remain within a clearly delineated sandbox.

Source: mundissima via Alamy Stock Photo

ChatGPT exposes significant data pertaining to its instructions, history, and the files it runs on, placing public GPTs at risk of sensitive data exposure, and raising questions about OpenAI's security on the whole.

The world's leading AI chatbot is more malleable and multifunctional than most people realize. With some specific prompt engineering, users can execute commands almost like one would in a shell, upload and manage files as they would in an operating system, and access the inner workings of the large language model (LLM) it runs on: the data, instructions, and configurations that influence its outputs.

OpenAI argues that this is all by design, but Marco Figueroa, a generative AI (GenAI) bug-bounty programs manager at Mozilla who has uncovered prompt-injection concerns before in ChatGPT, disagrees.

"They're not documented features," he says. "I think this is a pure design flaw. It's a matter of time until something happens, and some zero-day is found," by virtue of the data leakage.

**Prompt Injection: What ChatGPT Will Tell You**

Figueroa didn't set out to expose the guts of ChatGPT. "I wanted to refactor some Python code, and I stumbled upon this," he recalls. When he asked the model to refactor his code, it returned an unexpected response: directory not found. "That's odd, right? It's like a \[glitch in\] the Matrix."

Related:Microsoft Pulls Exchange Patches Amid Mail Flow Issues

Was ChatGPT processing his request using more than just its general understanding of programming? Was there some kind of file system hidden underneath it? After some brainstorming, he thought of a follow-up prompt that might help elucidate the matter: "list files /", an English translation of the Linux command "ls /".

In response, ChatGPT provided a list of its files and directories: common Linux ones like "bin", "dev", "tmp", "sys", etc. Evidently, Figueroa says, ChatGPT runs on the Linux distribution "Debian Bookworm," within a containerized environment.

By probing the bot's internal file system — and in particular, the directory "/home/sandbox/.openai\_internal/" — he discovered that besides just observing, he could also upload files, verify their location, move them around, and execute them.

**OpenAI Access: Feature or Flaw?**

In a certain light, all of this added visibility and functionality is a positive — offering even more ways for users to customize and level up how they use ChatGPT, and enhancing OpenAI's reputation for transparency and trustworthiness.

Indeed, the risk that a user could really do anything malicious here — say, upload and execute a malicious Python script — is softened by the fact that ChatGPT runs in a sandboxed environment. Anything a user can do will, in theory, be limited only to their specific environment, strictly cordoned off from any of OpenAI's broader infrastructure and most sensitive data.

Related:Trump 2.0 May Mean Fewer Cybersecurity Regs, Shift in Threats

Figueroa warns, though, that the extent of information ChatGPT leaks via prompt injection might one day help hackers find zero-day vulnerabilities, and break out of their sandboxes. "The reason why I stumbled onto everything I did was because of an error. This is what hackers do \[to find bugs\]," he says. And if trial and error doesn't work for them, he adds, "the LLM could assist you in figuring out how to get through it."

In an email to Dark Reading, a representative of OpenAI reaffirmed that it does not consider any of this a vulnerability, or otherwise unexpected behavior, and claimed that there were "technical inaccuracies" in Figueroa's research. Dark Reading has followed up for more specific information.

**The More Immediate Risk: Reverse-Engineering**

There is one risk here, however, that isn't so abstract.

Besides standard Linux files, ChatGPT also allows its users to access and extract much more actionable information. With the right prompts, they can unearth its internal instructions — the rules and guidelines that shape the model's behavior. And even deeper down, they can access its knowledge data: the foundational structure and guidelines that define how the model "thinks," and interacts with users.

Related:Cloud Ransomware Flexes Fresh Scripts Against Web Apps

On one hand, users might be grateful to have such a clear view into how ChatGPT operates, including how it handles safety and ethical concerns. On the other hand, this insight could potentially help bad actors reverse engineer those guardrails, and better engineer malicious prompts.

Worse still is what this means for the millions of custom GPTs available in the ChatGPT store today. Users have designed custom ChatGPT models with focuses in programming, security, research, and more, and the instructions and data that gives them their particular flavor is accessible to anyone who feeds them the right prompts.

"People have put secure data and information from their organizations into these GPTs, thinking it's not available to everyone. I think that is an issue, because it's not explicitly clear that your data potentially could be accessed," Figueroa says.

In an email to Dark Reading, an OpenAI representative pointed to GPT Builder documentation, which warns developers about the risk: "Don't include information you do not want the user to know" it reads, and flags its user interface, which warns, "if you upload files under Knowledge, conversations with your GPT may include file contents. Files can be downloaded when Code Interpreter is enabled."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

ChatGPT Exposes Its Instructions, Knowledge &amp; OS Files

Eight Android apps on the Google Play Store, downloaded by millions, contain the Android.FakeApp trojan, stealing user data…

Eight Android apps on the Google Play Store, downloaded by millions, contain the Android.FakeApp trojan, stealing user data – Here’s the complete list, delete the NOW!

Russian cybersecurity firm Dr. Web has exposed several Android apps on the Google Play Store that contain a sophisticated trojan, Android.FakeApp.1669 (also known as Android/FakeApp).

These apps, which claim to provide practical functions like financial tools, planners, and recipe books; contain a hidden payload that redirects users to unwanted websites, compromising their data. What’s worse, more than **2 million users** have downloaded these infected apps from Google Play, unaware of the threat.

Malware on the official Google Play Store is nothing new. In fact, reports from last month indicate a rise in malicious apps on both the Apple App Store and Google Play Store.

One of the infected apps, with over 1 million downloads, has recent user comments expressing frustration with its functionality (Screenshot credit: Hackread.com).

**Android.FakeApp.1669**

Android.FakeApp.1669 is part of the Android.FakeApp trojan family, a group of malware that usually redirects users to different websites, disguised as legitimate apps. However, this variant is especially notable due to its reliance on a modified **dnsjava library** that allows it to receive commands from a malicious DNS server, which, in turn, supplies a target link. Rather than the app’s advertised function, this target link is displayed on the user’s screen, often pretending to be an online casino or an unrelated website.

According to Dr. Web’s report, the malware activates only under specific conditions. If the infected device is connected to the Internet through designated mobile data providers, the DNS server will send a configuration to the app, containing a link that loads within the app’s WebView interface. When not connected to targeted networks, the app functions as expected, making detection difficult for users.

In January 2018, the Android.FakeApp trojan was first discovered in a fake Uber app for Android. Later, in March 2018, the same malware targeted Facebook users to steal data. In May 2020, a fake mobile version of the game Valorant was spreading the Android.FakeApp trojan just as the official version was set to release that summer.

**Infected Apps and Download Counts**

These apps claimed to be useful tools, from personal finance and productivity applications to cooking and recipe collections. However, once launched, the apps would connect to the DNS server to retrieve a configuration containing the website link to display.

Dr. Web’s investigation revealed several apps on the Google Play Store, some with high download counts, infected by Android.FakeApp.1669. While Google has removed some of these apps, millions of users had already installed them before the removal. Below is a list of apps identified by Dr. Web’s malware analysts, with their respective download counts:

**App Name**

**Number of Downloads**

Split it: Checks and Tips

1,000,000+ (On Google Play at the time of writing)

FlashPage parser

500,000+ (On Google Play at the time of writing)

BeYummy – your cookbook

100,000+ (On Google Play at the time of writing)

Memogen

100,000+ (Deleted)

Display Moving Message

100,000+ (On Google Play at the time of writing)

WordCount

100,000+ (On Google Play at the time of writing)

Goal Achievement Planner

100,000+ (On Google Play at the time of writing)

DualText Compare

100,000+ (On Google Play at the time of writing)

Travel Memo

100,000+ (Deleted)

DessertDreams Recipes

50,000+ (On Google Play at the time of writing)

Score Time

10,000+ (Deleted)

**How Android.FakeApp.1669 Operates**

Once downloaded, the trojan gathers specific data from the user’s device, such as:

*   Screen size
*   Device model and brand
*   Battery charge percentage
*   Developer settings status
*   Device ID, which includes the installation time and a random number.

This data, coded into a unique sub-domain name, allows the server to customize its response to each infected device. When the device meets the connection criteria, Android.FakeApp.1669 retrieves and decrypts data from the DNS server, eventually loading a link that redirects to an unwanted website, typically an online casino.

The decryption process involves reversing and decoding Base64 data and decompressing it, revealing sensitive configuration details.

****Recommendations for Users****

Given the high download count, Android users should take immediate steps to protect themselves. First, it’s crucial to delete any infected apps. Uninstall any app from the list provided or other similar apps that display suspicious behaviour to minimize potential security risks.

Additionally, read the comments on these apps; many users have left negative reviews, noting that the apps spam ads and cause their devices to freeze, a behaviour that allows the malware to operate in the background.

Next, use **trusted security software**, regularly checking app permissions is another vital step. Users should review the permissions requested by apps, avoiding any unnecessary access that could compromise device security. Additionally, updating both the device and applications frequently can help prevent certain types of malware infections, as updates often include important security patches.

Nevertheless, download with caution, even when using official sources like Google Play. Reviewing app permissions and reading user feedback before downloading can help spot potential red flags and avoid risky apps.

_Hackread.com_ has reached out to Google, and this article will be updated with any new developments or if Google removes the app. Stay tuned.

1.  **First Mobile Crypto Drainer on Google Play Steals $70K**
2.  **Spyware Found in Google Play Store Apps, 2m Downloads**
3.  **Malware infected Minecraft modpacks hit Google Play Store**
4.  **35 malicious apps found on Google Play, installed by 2m users**
5.  **Google Removes Swing VPN Android App Exposed as DDoS Botnet**

These 8 Apps on Google Play Store Contain Android/FakeApp Trojan

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on…

Group-IB has uncovered Lazarus group’s stealthy new trojan and technique of hiding malicious code in extended attributes on macOS. Learn how this advanced persistent threat (APT) is evading detection and the steps you can take to protect yourself.   

Cybersecurity researchers at Group-IB report that the North Korean state-backed **APT Lazarus group**, is now deploying a new macOS trojan called “RustyAttr.” This malware, along with a new evasion technique, lets Lazarus carry out its operations while remaining undetected.

Since May 2024, the Lazarus Group has been employing a technique that hides malicious code within the extended attributes (EAs) of files on macOS systems, utilizing the RustyAttr trojan. Extended attributes are hidden data containers attached to files, enabling the storage of additional information beyond standard attributes such as size or creation date.

This method is particularly tricky because these attributes are invisible by default in applications like Finder or Terminal. However, using the .xattr command, attackers can easily access and exploit this hidden data.

In 2020, **Bundlore adware** used a similar technique to hide its payload in resource forks which stored structured data on older macOS systems, researchers noted in the **blog post** shared with Hackread.com.

The possible attack scenario involves a legitimate-looking malicious application, built using the Tauri framework. It displays **fake PDF files** related to job opportunities or cryptocurrency, a theme consistent with Lazarus. 

For your information, the Tauri framework is a web-based tool for creating lightweight desktop applications, enabling developers to use HTML, CSS, JavaScript, and Rust for front and backend, respectively, to execute malicious scripts.

The shell scripts reveal two types of decoys: one fetches a PDF file from a file hosting service, containing questions related to game project development and funding, and the other displays a dialogue stating that the app does not support the specified version, while a web request to the staging server processes in the background. The malicious script is hidden within a custom extended attribute named “test”. 

The application leverages a JavaScript file named “preload.js” to interact with the hidden script. This JavaScript code, using **Tauri’s functionalities**, retrieves the script from the extended attribute and executes it. 

Example of one of the malicious PDF files pushing a fake job advert (Via Group-IB)

“Interestingly, the next behaviour is as follows – if the attribute exists, no user interface will be shown whereas, if the attribute is absent, the fake webpage will be shown,” the researchers revealed.

The malicious components are hidden within the extended attributes, making them invisible to antivirus scanners. The applications were initially signed with a leaked certificate (revoked by Apple now) but remained unnotarized, bypassing another layer of possible detection.

While the researchers haven’t identified any confirmed victims yet, they believe Lazarus might be experimenting with this technique for future attacks. This discovery is important because it’s a completely new tactic, not yet documented in the MITRE ATT&CK framework, a standard reference for attack techniques.

The Lazarus group’s sophistication and continuous expansion of tactics show their efforts to evade detection and compromise systems. To stay safe, verify the source and legitimacy of files before downloading or executing them, and avoid downloading harmless content like PDFs without checking even if it appears legitimate.

Keep **macOS Gatekeeper** on as it prevents the execution of untrusted applications. Lastly, utilize advanced threat intelligence solutions to remain aware of emerging threats and develop effective protection strategies.

1.  **Fake North Korean IT Workers Infiltrate Western Firms**
2.  **North Korean Hackers Team Up with Play Ransomware**
3.  **N Korean hackers stole $1.7 billion from crypto exchanges**
4.  **North Korean Hackers Drop Linux Malware for ATM Cashouts**
5.  **SnatchCrypto attack hits DeFi, Blockchain Firms with backdoor**

Lazarus Group Targets macOS with RustyAttr Trojan in Fake Job PDFs

Less-experienced users of Microsoft's website building platform may not understand all the implications of the access controls in its low- or no-code environment.

Source: IB Photography via Alamy Stock Photo

Untold millions of sensitive records and personal data are exposed on the open Web right now, thanks to missing or misconfigured access controls in websites built with Microsoft Power Pages.

Power Pages, born in 2022 from PowerApps Portals, is Microsoft's low-code website building platform. It is commonly used to design externally facing sites, such as portals for employees and retailers, or event registration or management sites. Back when it was released to the general public, Microsoft bragged that it already served more than 100 million monthly active website users, in industries as diverse as high tech and healthcare, education, finance, manufacturing, and government.

Alongside its suite of easy, drag-and-drop tools and features, Power Pages comes fitted with role-based access controls, which developers can use to define the data any given user can access. But as Aaron Costello, chief of software-as-a-service (SaaS) security research at AppOmni, recently discovered, many sites simply aren't implementing these controls correctly, if at all.

The result: Vast swaths of sensitive information, from sites around the Web, are available right now to anyone who cares to look for it.

**Misconfigured Power Pages**

Power Pages sites use Microsoft's cloud-based relational database, Dataverse, to store structured data. To protect that data, developers can call upon a variety of access controls.

First and most obvious are site-level settings, which define whether and how users need to authenticate and register accounts on a site.

The next tier down is table-level controls. With these, site administrators can define which kinds of users can perform what actions on what data.

The most granular of Power Pages access controls apply at the level of Dataverse columns. One notable tool Power Pages offers at this level is "masking," where site admins can obfuscate certain categories of data, like the first five digits of Social Security numbers listed in a given column.

The problem is that admins aren't always making use of these three rungs of access controls, if any at all. As a result, accessing the data on their sites is "very, very trivial," Costello says. "Once you understand \[what's going on\], it's just a matter of going to these URLs."

"Typically what happens is that instead of granting someone the ability to view their own data, they've actually granted them the ability to view all data. As a result, excessive amounts of information — often sensitive — is exposed to each user," he explains.

Some sites grant even anonymous users "global access" to read data from tables, for example, and not one website Costello probed in his research implemented any sort of column-level security. Other sites restrict certain data to authenticated users, but undermine that protection by allowing anyone from the Web to register and authenticate themselves.

Costello only probed websites hosted by organizations with cybersecurity disclosure policies — those which might be more amenable to hearing about their lacking security postures. Even with that limitation, he ultimately discovered 5 million to 7 million exposed records from a wide array of Power Pages websites.

One large business service provider, for example, leaked personal information belonging to 1.1 million employees of the UK's National Health Service (NHS). The data included employees' telephone numbers, email addresses, home addresses, and more.

**An Industrywide Issue**

As Costello is quick to point out, "In previous research, I discussed the exact same kind of issue in other popular SaaS platforms, such as Salesforce, ServiceNow, and NetSuite. And those are all platforms that have different use cases. I wouldn't say that this is by any means a unique problem to Power Pages. What this comes down to isn't the product itself, but more so a misunderstanding of its access controls."

When it comes to warning users about landmines, Power Pages does quite well. "When you do misconfigure data to be accessible by anyone, you get warning banners popping up on your page in a variety of different places, Costello adds. "So Microsoft really does their best to make organizations aware of what they're doing is dangerous. However, organizations are choosing to ignore the warning signs."

Besides negligence, the frequency of Power Pages misconfigurations might theoretically be explained by the demographics of its audience. By their nature, low- and no-code platforms are more attractive to less technical users, who may be less well-versed in matters of cybersecurity.

"If you're someone who is not technical, and you're just dragging and dropping buttons and forms to design a page, you may not be the type of person who has an understanding of what access controls are even necessary," Costello posits. Or, perhaps, the ease of designing a low- or no-code site might ease the more careful, analytical parts of one's brain. "Low-code platforms do typically lend a false sense of security," he says.

Dark Reading has reached out to Microsoft for comment on this story.

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Microsoft Power Pages Leak Millions of Private Records

APT Wirte is doing double duty, adding all manner of supplemental malware to gain access, eavesdrop, and wipe data, depending on the target.

Source: Christophe Coat via Alamy Stock Photo

A longstanding threat actor affiliated with Hamas has been conducting espionage against governments across the Middle East and destructive wiper attacks in Israel.

"Wirte" is a 6 1/2-year-old advanced persistent threat (APT) working to support Hamas' political agenda. Check Point Research identifies it as a subgroup of the Gaza Cybergang (aka Molerats), which is also thought to overlap with TA402.

In recent weeks and months, Wirte has leveraged the Gaza war to spread phishing attacks against government entities spread across the region. It has also been carrying out wiper attacks in Israel. "It shows that Hamas still has cyber capabilities, even with the ongoing war," says Sergey Shykevich, threat intelligence group manager at Check Point.

**Wirte's Spying and Wiping Attacks**

Wirte attacks are not particularly unique or sophisticated. A PDF in an email might contain a link directing targets to a file for download, named in some way to lend it legitimacy (e.g., "Beirut — Developments of the War in Lebanon 2"). The file will contain a lure document, one or more legitimate executables, and the malware.

To upgrade this infection chain, Wirte has sometimes made use of the IronWind loader, starting in October 2023. IronWind uses a complex, multistage infection chain to drop malware, with the goal of frustrating analysis. It employs geofencing, and reflective loaders that run code directly in memory, rather than on the disk, where it might otherwise be spotted by antivirus software.

In an espionage-focused attack, the end of this chain might bring the open source penetration testing framework "Havoc." Havoc enables persistent access to a compromised machine, useful for establishing remote control, performing lateral movement, stealing data, and more.

In February and October 2024, by contrast, Wirte campaigns climaxed with the deployment of a wiper called "SameCoin."

Last month, Wirte puppetted the email address of a legitimate Israeli reseller of ESET software. Its lure message — sent to hospitals, municipal governments, and others — warned recipients that "Government-based attackers may be trying to compromise your device!" and included a download link. The link first tried to connect to the website for Israel's Home Front Command, a wing of the Israel Defense Forces (IDF) responsible for protecting civilians. Its site is accessible only to those within Israel, so if the redirection succeeded, the attack would proceed.

Next, a downloaded zip file dropped and decrypted a pro-Hamas wallpaper JPG, a propaganda video, a tool designed to enable lateral movement within targeted networks, and the SameCoin wiper.

Still image from a political video spread in the SameCoin campaign; Source: @NicoleFishi19 on X

**What Wirte Wants**

Wirte spying has crossed into Egypt and Saudi Arabia, but its favored targets appear to be from Jordan and the Palestinian Authority (PA), the government entity that oversees parts of the West Bank and is controlled by Fatah, Hamas's primary political rival within Palestine. For the most part, this has remained consistent in its half-dozen-year history.

Wirte has evolved somewhat is in its approach to Israel. And in this way, it has also mirrored other Palestinian threat actors.

"Before the war, it was focused mostly on espionage, and stealthy persistence in networks," Shykevich explains. This is in stark contrast to its latest wave of loud wiper attacks, for example, which were timed to begin on Oct. 7, the one-year anniversary of Hamas's Operation Al-Aqsa Flood, the terror attack that killed more than 1,000 Israelis and led to the capture of nearly 250 more.

"Now, it has become more and more about making \[breaches\] public, showing the data, the destruction. The focus is more and more on hack-and-leak operations, and how they can use cyber capabilities to try to shape a narrative."

Don't miss the upcoming free Dark Reading Virtual Event, "Know Your Enemy: Understanding Cybercriminals and Nation-State Threat Actors," Nov. 14 at 11 a.m. ET. Don't miss sessions on understanding MITRE ATT&CK, using proactive security as a weapon, and a masterclass in incident response; and a host of top speakers like Larry Larsen from the Navy Credit Federal Union, former Kaspersky Lab analyst Costin Raiu, Ben Read of Mandiant Intelligence, Rob Lee from SANS, and Elvia Finalle from Omdia. Register now!

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Hamas Hackers Spy on Mideast Gov'ts, Disrupt Israel

Three technologists in India used a homemade Faraday cage and a microwave oven to get around Apple’s location blocks.

When Apple released a software update at the start of November that enabled its new hearing aid features in AirPods Pro 2 earbuds, Rithwik Jayasimha immediately went out with his dad to buy a pair for his grandma. “We came back home, we took them out of the case, and I was looking for the feature and it was just missing,” Jayasimha says. India, where Jayasimha and his family live, is not one of the many countries where Apple’s hearing aid features are available. “It was a huge bummer,” Jayasimha says.

Instead of abandoning the headphones, Jayasimha and two friends, Arnav Bansal and Rithvik Vibhu—both of whom say they have grandmas who use hearing aids as well—hacked a way to bypass Apple’s location restrictions and enable their hearing aids in Bangalore.

To dodge Apple’s geolocation restrictions, the trio built a rudimentary, signal-blocking Faraday cage on top of a microwave with aluminum foil, which ultimately allowed them to enable the hearing aid settings. “We don’t even think it’s Apple’s fault. The feature is amazing,” Jayasimha says.

One of the older hearing aids that was replaced with an Apple’s AirPods Pro 2.Photograph: Lagrange Point/Rithwik Jayasimha

The group members, who have a mix of hardware and software skills and first detailed their hack as part of a technology collective called Lagrange Point, say a couple of dozen people have contacted them asking for help with their AirPods. “We’ve got a huge amount of interest from folks in India who have these AirPods or whose grandparents need them and they’ve not been able to use them,” Jayasimha says. Others have documented the same issue in social media posts.

The researchers demonstrated that they could bypass Apple’s geographic restrictions with a set of AirPods Pro 2 connected to a 10th generation Wi-Fi-only iPad. They note that it would be possible to do the workaround on an iPhone or iPad connected to a mobile carrier as well, but it would be more involved.

To find the workaround, the researchers first looked at the different ways that iOS establishes where a device is in the world. For Wi-Fi-only devices, there are a few checks. The server looks at which Apple Store region the device is connected to, as well as the time zone, language, and region the device is set to. Additionally, the operating system sends a simple web request to an Apple web service that then responds with the country code of the country the device appears to be in based on the location associated with its IP address.

The researchers first tried manually changing the time zone and region settings for the iPad, but it ultimately wasn’t clear whether this impacted their ability to hide the iPad’s true location. When masking the iPad’s IP address so it would appear to be connected in the United States didn’t work, the researchers assessed other metrics the device might be using to establish its geographic location. It turns out that iOS also examines Wi-Fi “service set identifiers,” or SSIDs, that help devices connect to the right Wi-Fi network when there are many network signals in the air—like in an apartment building or at a coffee shop.

The operating system also uses GPS triangulation and device identifier “MAC addresses” of nearby devices, including routers, to establish a device’s location. In other words, even if a person in Bangalore uses a proxy to make it seem like their iPad has a US-based IP address, all the nearby routers and devices are associated with India-located IP addresses that give the real location away.

To deal with this, the researchers rigged up a Faraday cage, which blocks electromagnetic signals, to isolate the iPad from the other devices and wireless networks around it. They built their aluminum-foil-clad enclosure on top of a regular kitchen microwave and then turned on the microwave whenever they wanted to block signals to the iPad. The setup worked because consumer microwaves heat food using electromagnetic waves that are at the same frequency as Wi-Fi signals—2.4 GHz. Essentially, the researchers had turned their microwave oven into a Wi-Fi jammer.

The hackers first built a Faraday cage using a cardboard box and several sheets of aluminum foil, and placed it on top of a microwave to further block wireless signals.Photograph: Lagrange Point/Rithwik Jayasimha

“We put several layers of aluminum inside and outside \[a cardboard box\] and we’d see some signal strength drop,” Bansal says. “Of course, it’s not going to be great, but combined with the microwave, it worked.”

Ultimately, the researchers designed a less ingenious, but simpler and more reliable Faraday cage to make their manipulation more practical. With the iPad placed in its own shielded bubble, the researchers used an open source Wi-Fi location database and Wi-Fi SSID cycling tool to trick iOS into locating the iPad in California. With this complete, the AirPods could work as hearing aids in India.

Apple offers the hearing aid features in more than 100 countries, and it has great promise as a tool for making hearing aid tech more accessible—and more palatable—to millions of people around the world. But the company isn’t able to offer the feature everywhere and restricts access in certain countries, like India, likely because of regulatory hurdles related to medical devices. The fact that it’s possible to circumvent these restrictions may offer a solution, at least temporarily, for people in blocked countries who are looking for a workaround.

Apple did not return WIRED’s request for comment about the findings, but the researchers note that it seems like it would be possible for Apple to close the loophole they discovered fairly easily. They say they haven’t heard from the company.

Alan Woodward, a cybersecurity professor at the University of Surrey, says their work is “very interesting” and demonstrates how there may often be ways around “safeguards” put in place by Big Tech. “It shows that those with the technical understanding can bypass the geofencing of apps relatively simply,” Woodward says. “Not that everyone could do it, but they probably know someone that can.”

“I’m not sure how many people realize the number of variants in something like iOS even on what is apparently the same version—the build number is what really matters,” Woodward says. “It’s more a lesson to people that you have more than you realize on your phone.”

The second version of the Faraday cage, which the researchers plan to use to run more experiments.Photograph: Lagrange Point/Rithwik Jayasimha

Services offered by Big Tech companies such as Apple and Google often have had staggered launches around the world as lawmakers have introduced regulations to control technology companies’ power and protect people’s rights. In the EU, for instance, several AI products have been delayed or not launched due to strict privacy laws. Apple has also been required to allow alternative App Stores due to EU rules. At the same time, right-to-repair movements have grown in popularity, and people have increasingly been hacking into the products they buy.

While the three researchers in India believe that it is likely Apple’s hearing aid features will officially come to the country in the coming months, they plan in the meantime to help the dozens of people they say have reached out to them about their own headphones. They also plan on using the second version of the Faraday cage to set up people’s AirPods. From their own grandmas’ experiences, the hearing aid features appear to be valuable in their everyday lives.

Bansal says his grandma has some hearing loss and other health challenges, but has typically worn hearing aids while watching television. “She used to wear her old clunky hearing aids, and they were really problematic because they had these tiny little buttons on them,” Bansal says. “But now she uses the AirPods, we’ve set it up with her hearing profile, and she can use it to watch the TV just fine and it’s a lot nicer. She doesn’t feel like a patient wearing it.”

Tag

#apple