Apple Sent Mercenary Threat Notifications to iPhone Users in 92 Countries

Check out my latest CSO column, which delves into the cloud security recommendations in last month’s CSRB report that blasted Microsoft.

Apple sent threat notifications to iPhone users in 92 countries, warning them that they may have been targeted by mercenary spyware attacks without disclosing the attackers’ identities or the countries where users received notifications.

“Apple detected that you are being targeted by a mercenary spyware attack that is trying to remotely compromise the iPhone associated with your Apple ID -xxx-,” it wrote in the warning to affected customers.

“This attack is likely targeting you specifically because of who you are or what you do. Although it’s never possible to achieve absolute certainty when detecting such attacks, Apple has high confidence in this warning — please take it seriously,” Apple added in the text.

“We are unable to provide more information about what caused us to send you this notification, as that may help mercenary spyware attackers adapt their behavior to evade detection in the future,” the company told impacted customers.

In the texts, Apple dropped the phrase "state-sponsored" it used in its previous alerts to refer to such malware attacks. The company had previously said on its website that its threat notifications were designed to inform and assist users who might have been targeted by "state-sponsored attackers."

Apple's removal of the term "state-sponsored" from its description of threat notifications comes after it repeatedly faced pressure from the Indian government on linking such breaches to state actors, said a source with direct knowledge.

The iPhone maker sends these kinds of notifications multiple times a year and has notified users of such threats in over 150 countries since 2021, according to an updated Apple support page. (Manish Singh / TechCrunch and Ashna Teresa Britto / Reuters)

Related: Dexerto, MacRumors, AppleInsider, Tech Monitor, Benzinga, Financial Express, CNET, Silicon Republic, Forbes, Apple Support, Business Today, iMore, PhoneArena, Patently Apple, The Statesman, Tech.co, The Indian Express, The Hindu, Business Standard, Livemint, TweakTown, Supercharged, The Economic Times, Hindustan Times, The Week, The Straits Times, Channel NewsAsia, 9to5Mac, Tech Monitor, NewsBytes, reddit TECH NEWS, Silicon Republic, DNA India, Benzinga, ibtimes.sg : Top News, MacRumors, Tech Monitor, The New Indian Express, /r/Technology, Latestly.com, Asia One Digital, Business Standard, NDTV Gadgets360.com

The US Cybersecurity and Infrastructure Security Agency (CISA) is warning customers of business intelligence and data analytics software Sisense to reset their credentials and secrets after the data analytics company reported a security incident.

CISA said it was responding to a “recent compromise” at Sisense, which provides business intelligence and data analytics to companies around the world.

CISA said it urges Sisense customers to “reset credentials and secrets potentially exposed to, or used to access Sisense services” and to report any suspicious activity involving the use of compromised credentials to the agency.

It’s not clear the exact nature of the cybersecurity incident. News of the incident first emerged after cybersecurity journalist Brian Krebs published a note sent by Sisense chief information security officer Sangram Dash urging customers to “rotate any credentials that you use within your Sisense application.”

Companies like Sisense rely on credentials, such as passwords and private keys, to access a customer’s various data stores for analysis. An attacker could potentially also access a customer’s data with access to these credentials.

Sisense has customers such as Air Canada, PagerDuty, Philips Healthcare, Skullcandy, and Verizon, as well as thousands of other organizations globally.

CISA said it is “taking an active role in collaborating with private industry partners to respond to this incident, especially as it relates to impacted critical infrastructure sector organizations.” (Zack Whittaker / TechCrunch)

Related: CISA

In written testimony, US Cyber Command and NSA head Timothy Haugh told the Senate Armed Services Committee that the Command sent personnel from the Cyber National Mission Force (CNMF) on 22 “hunt forward” missions to 17 different countries last year alone.

The disclosure is notable for the Command, which has previously not shared an annual figure for such missions since they began in 2018. Data on the exact number of missions has always been vague, in part because host countries don’t want adversaries to know they invited the US to work on their networks and inadvertently sniff out potential vulnerabilities.

Last year’s expeditions collected over 90 malware samples that were then publicly released and shared with the US cybersecurity community, according to Haugh,

“Such disclosures can make billions of Internet users around the world safer online and frustrate the military and intelligence operations of authoritarian regimes.”

The number of missions could rise even higher this year as the US prepares for possible interference from multiple foreign nations, particularly Russia, in the 2024 presidential election.

“Moscow likely views the upcoming US election as an opportunity for malign influence and has previously targeted elections in the United States and Europe,” Haugh said in his testimony.

“We assess they will most likely do so again in this year’s elections,” he added, echoing previous warnings by US intelligence leaders about threats to November’s elections. (Martin Matishak / The Record)

Related: Armed Services Committee, Defense News, NextGov/FCW, C4ISRNET

Researchers at the VUSec group from VU Amsterdam demonstrated the "first native Spectre v2 exploit" for a new speculative execution side-channel flaw that impacts Linux systems running on many modern Intel processors.

Spectre V2 is a new variant of the original Spectre attack discovered by a team of researchers at the VUSec group from VU Amsterdam. Speculative execution is a performance optimization technique where modern processors guess what instructions will be executed next and start implementing them before they know they are needed. As modern processors are extremely powerful, they can predict multiple paths a program may take and execute them simultaneously.

If one of the guesses is correct, application performance increases. If the guesses are wrong, the CPU discards the previous work and proceeds as usual without changing performance.

However, while this feature improves performance, it also introduces security risks by leaving traces of privileged data in CPU caches, which attackers can potentially access.

Two attack methods are Branch Target Injection (BTI), which involves manipulating the CPU's branch prediction to execute unauthorized code paths, and Branch History Injection (BHI), which manipulates branch history to cause speculative execution of chosen gadgets (code paths), leading to data leakage.

Intel has already assigned CVE-2022-0001 and CVE-2022-0002 to BTI and BHI, respectively, while CVE-2024-2201 involves a new Spectre v2 exploit that works against the Linux kernel. Intel has also updated its mitigation recommendations for Spectre v2 and now proposes disabling unprivileged Extended Berkeley Packet Filter (eBPF) functionality, enabling Enhanced Indirect Branch Restricted Speculation (eIBRS), and enabling Supervisor Mode Execution Protection (SMEP).

Moreover, Intel recommends adding LFENCE (Load Fence) instructions to specific locations in the code to serve as serialization points and implementing software sequences that clear the Branch History Buffer (BHB) for transitions between different security domains.

As the CERT Coordination Center (CERT/CC) disclosed, the new flaw, tracked as CVE-2024-2201, allows unauthenticated attackers to read arbitrary memory data by leveraging speculative execution, bypassing present security mechanisms designed to isolate privilege levels.

The researchers also released a tool that uses symbolic execution to identify exploitable code segments within the Linux kernel to help with mitigation, including account passwords, encryption keys, sensitive personal or corporate information, software code, and more. (Bill Toulas / Bleeping Computer)

Related: VUSec, Security Week, CERT/CC, Intel

AT&T has begun notifying US state authorities and regulators of a security incident after confirming that millions of customer records posted online last month were authentic.

In a legally required filing with Maine’s attorney general’s office, the telco giant said it sent letters notifying more than 51 million people, including around 90,000 individuals in Maine, that their personal information was compromised in the data breach. AT&T also notified California’s attorney general of the breach.

AT&T said that the breached data included customers’ full names, email addresses, mailing addresses, dates of birth, phone numbers, and Social Security numbers. Leaked customer information dated back to mid-2019 and earlier. According to AT&T, the records contained valid data on more than 7.9 million current AT&T customers.

AT&T took action around three years after a subset of the leaked data first appeared online, which prevented any meaningful analysis of the data. The entire cache of 73 million leaked customer records was dumped online last month, allowing customers to verify that their data was genuine. Some of the records included duplicates.

The leaked data also included encrypted account passcodes, which allow access to customer accounts. (Zack Whittaker / TechCrunch)

Related: Maine Attorney General, Bleeping Computer, Ars Technica, Security Affairs, r/Technews

House Speaker Mike Johnson lost 19 Republicans in a procedural vote for reauthorizing the Section 702 surveillance program under the Foreign Intelligence Surveillance Act hours after Donald Trump ordered Republicans to “Kill FISA” in a 2 am post on Truth Social.

The Section 702 surveillance program, which targets foreigners overseas while sweeping up a large amount of US communications as well, is set to sunset on April 19. The program was extended by four months in late December following Johnson’s first failed attempt to hold a vote.

The program will continue into next year, regardless of whether Johnson manages to muster up another vote in the next week. Congress does not directly authorize the surveillance. Instead, it allows the US intelligence services to seek “certifications” from a secret surveillance court every year.

The Justice Department applied for new certifications in February. The certifications, which are required only due to the “incidental” collection of US calls, generally permit the program’s use in cases involving terrorism, cybercrime, and weapons proliferation. US intelligence officials have also touted the program as crucial in combating the flood of fentanyl-related substances entering the US from overseas.

The program remains controversial due to a laundry list of abuses committed primarily at the Federal Bureau of Investigation, which maintains a database that holds a portion of the raw data collected under 702. (Dell Cameron / Wired)

Related: Cyberscoop, Wall Street Journal, Forbes, The Verge, Roll Call, DOD News, The Hill, CBS News, C-SPAN, NBC News, Axios

A hacking group that refers to itself as NetHunter broke into the Israeli regime’s Ministry of military affairs, offering to sell stolen data unless the government releases hundreds of Palestinian prisoners.

The group announced the breach in a video message posted on its Telegram channel. Following the announcement, security sources confirmed to Israel Hayom Daily that there had indeed been a breach into the Ministry's computers.

The group said it had managed to access “classified documents” belonging to the Ministry, as well as documents of cooperation agreements between the regime and other states. The breach also revealed data concerning “senior Israeli officers” and the regime’s troops, it added.

NetHunter said it had carried out the cyber attack as “an answer to part of Zionist crimes.” “We uncover these crimes and introduce some of Israel’s allies and accomplices to the world,” it noted.

The group has now threatened to sell the information to “pro-Palestinian states” if the regime refused to release as many as “500 Palestinian prisoners.”

According to the Israeli paper, the data included "communications and orders," which the hackers have offered for sale for 50 bitcoins (about $3.45 million). (PressTV)

Related: Al Mayadeen

According to documents seen by Haaretz and journalists in Greece, the digital surveillance corporation Intellexa, owned by the former Israeli intelligence officer Tal Dilian, showcased a sensitive spying product that makes it possible to infect mobile phones like iPhones or Androids through online advertisements alone.

According to the documents, in 2022, Intellexa presented a proof of concept for a system called Aladdin that enables the remote infection of a specific mobile telephone device through online advertisements. This is the first time it has been revealed that a company outside of Israel has developed such a spyware tool, which was considered the cutting edge of Israel's offensive cyber. At that time, in Israel, the Defense Ministry was actively working to prevent Israeli companies from marketing identical spyware tools abroad.

The documents also include an updated proposal to a potential client, which shows the firm's most up-to-date catalog of spying tools. In addition, the documents reveal for the first time new limitations that the company imposed on potential customers and how they can use the spyware, likely due to a spate of scandals in Greece and Israel involving Intellexa.

A month ago, the Biden administration imposed personal sanctions on Dilian, who was once the head of the technological unit of the Israeli Military Intelligence. The sanctions came after Intellexa, which developed the spyware Predator, which is also sold under other names, was added to a so-called blacklist of firms barred from doing business with US agencies. The move was part of the White House's broader attempt to rein in the global cyber mercenary industry in which private firms sell military-grade hacking technologies to state bodies. (Omer BenjakobEliza Triantafillou / Haaretz)

During a hearing before the Senate Energy and Natural Resources subcommittee, experts said that America’s dams lack the resources to beef up their digital defenses, and the Federal Energy Regulatory Commission (FERC), charged with oversight of the sector, is understaffed and behind on performing cyber audits.

“I don’t want to wake up to a news report about a small town in the Pacific Northwest getting wiped out because of a cyberattack against a private dam upriver,” Chairman Ron Wyden, D-Ore., said in his opening statement.

While there are 91,827 dams of varying sizes in the US, only 2,500 are under FERC’s authority as non-federal dams with hydropower. Hydroelectric dams provide about 28% of renewable energy in the United States.

“Today there are no minimum standards, no audits of a majority of dams and bad cybersecurity. This is inviting cybersecurity trouble in the Northwest,” Wyden said in his opening statement.

Worse, FERC’s cybersecurity requirements have not been updated since 2016. Terry Turpin, director of the Office of Energy Projects at FERC, said that the independent agency plans to update the requirements once it has audited around 70% of the dams by the end of fiscal year 2025. (Christian Vasquez / Cyberscoop)

Related: NextGov/FCW, E&E News by Politico, RTO Insider

Researchers at Checkmarx discovered that hackers are abusing GitHub’s search functionality to trick unsuspecting devs into loading malware onto their systems.

The hackers use a series of techniques to artificially inflate the popularity of their fake repositories, pushing them further up GitHub search results.

The first involves leveraging the platform’s automation tool, GitHub Action, to frequently update the malicious repositories, making minor tweaks to a log file or updating the date or time, for example, and elevating their popularity.

Attackers were also observed creating multiple fake accounts to promote their own malicious repositories, adding fake stars to make the asset seem more trustworthy.

The researchers found that the malicious code used in these attacks is often concealed within Visual Studio project files to evade detection. The code executes automatically when the project is built.

The researchers noted that users will not notice the dubious files unless they explicitly search the repository for suspicious elements.

Based on where the victim is located, the payload downloaded onto the machine is different, suggesting the attackers could be located in Russia and tailoring their attacks to avoid impacting domestic entities and reduce any unwanted attention from the state’s authorities.

The report includes advice on some indicators of compromise (IoC), including whether the repository in question has received complaints through the GitHub Issues feature or pull requests from devs who experienced problems after downloading and deploying the code. (Solomon Klappholz / ITPro)

Related: Checkmarx, TechTarget, Computer Weekly, Tech Radar, GBHackers

Researchers at Stedi, a startup that’s built a new platform for Electronic Data Interchange (EDI), discovered a security flaw in AWS Security Token Service (STS), an identity, access, and management (IAM) service, that gave read-only users admin access to AWS resources under certain conditions.

The Stedi team reported encountering the bug and seeing that “again and again, our tests gained access to roles above their designated authorization level,” reporting it to an initially skeptical AWS in June 2023. However, the cloud provider thought it was a Stedi misconfiguration.

“We spent a lot of time second-guessing ourselves when discovering and diagnosing this bug. We were well aware of IAM’s provable security via automated reasoning, and the documentation is so comprehensive (and intimidating at times) that we were sure it had to be our fault,” Stedi said.

“Of course, you should do your due diligence before reporting issues, but no system is infallible. Sometimes, it is AWS,” the company noted.

After six months, AWS pushed out a fix for the flaw. (The Stack)

Related: Stedi

Researchers at HP Wolf Security report that the Raspberry Robin malware is back in action, this time using a little-known Windows file type for distribution.

Instead of using USB flash drives, as hackers previously used, they are now using Windows Script Files (WSF) to distribute Raspberry Robin in this new campaign.

These scripts are often used by IT admins and legitimate software to automate tasks within Windows. However, like most tools, they can be abused by hackers and other cybercriminals in their attacks.

In this latest campaign, the hackers responsible are distributing these malicious files using several different domains and subdomains, even though it’s unclear how they’re directing potential victims to these particular sites. However, HP Wolf Security’s researchers believe that spam emails or malvertising could be how the hackers are doing it.

Raspberry Robin is dangerous because it is frequently used to drop other malware strains such as SocGholish, Cobalt Strike, IcedID, BumbleBee, and Truebot onto infected PCs. (Anthony Spadafora / Tom’s Guide)

Related: HP

The US, Japan, and the Philippines reportedly will join forces in cybersecurity defense with a strategic cyber threat-sharing arrangement in the wake of rising attacks by China, North Korea, and Russia.

The initiative will launch during high-level trilateral talks between US President Joe Biden, Japanese Prime Minister Fumio Kishida, and Philippine President Ferdinand Marcos Jr. during a trilateral summit in Washington this week, according to Nikkei Asia.

The cyber alliance comes on the heels of Volt Typhoon, a group of cyberattackers linked to China's military, targeting critical infrastructure networks in the Philippines and US territories in the region. (Robert Lemos / Dark Reading)

Related: Nikkei Asia, CNN

Dozens of new names were registered that demonstrate how Twitter/X’s decision, since rescinded, to automatically modify links that mention “twitter.com” to read “x.com” could be used to craft convincing phishing links, such as fedetwitter[.]com, which until very recently rendered as fedex.com in tweets.

A search at DomainTools.com shows at least 60 domain names have been registered over the past two days for domains ending in “twitter.com,” although research so far indicates the majority of these domains have been registered “defensively” by private individuals to prevent the domains from being purchased by scammers.

Those include carfatwitter.com, which Twitter/X truncated to carfax.com when the domain appeared in user messages or tweets. Visiting this domain currently displays a message that begins, “Are you serious, X Corp?”

Twitter/X has corrected its mistake and no longer truncates any domain ending in “twitter.com” to “x.com.” (Brian Krebs / Krebs on Security)

Related: Mashable, Domain Name Wire, Tech Times, Quartz

Cybersecurity researcher Jeremiah Fowler discovered a non-password-protected database belonging to Dublin-based iCabbi, a dispatch and fleet management technology provider, that contained names, phone numbers, and email addresses of nearly 300,000 taxi passengers in the UK and Ireland.

The exposed email addresses ranged from various email providers and private domains, including 117,231 Gmail, 65,060 Hotmail, 17,588 Yahoo, 18,099 iCloud, 12,798 Outlook, 7,484 Live, and numerous other email accounts.

Email addresses from media outlets such as the BBC and government agencies, including the NIH, HM Treasury, Ministry of Justice, and numerous local and regional government departments, were included. The files also included around 2,000 AC—UK university email addresses.

The folder containing the exposed records also contained many other documents that were secured and denied public access.

In response to Fowler’s disclosure, an iCabbi representative said, “Thanks again for bringing this to my attention - we have deleted the records. Human error to blame here unfortunately... part of a migration of customers but we should not be using public folders. We are going to engage with customers to make them aware of this breach.” (Jeremiah Fowler / vpnMentor)

Related: The Register

Embattled UK MP William Wragg accidentally allowed his WiFi password to be made public when he was photographed for a newspaper.

The now-independent politician, who resigned the Conservative whip on Tuesday after admitting giving colleagues’ phone numbers to a suspected scammer, posed for a photo published in The Observer, with a note of the password scribbled on Commons-headed notepaper and pinned to a board behind him. (Jane Dalton / The Independent)

Related: The London Economic, r/politicsjoe, The Poke

A now-patched Fortinet FortiClientLinux critical vulnerability could allow remote code execution (RCE) by an unauthenticated attacker.

The flaw tracked as CVE-2023-45590 has a CVSS score of 9.4 and is due to a “dangerous nodejs configuration,” Fortinet said in its Product Security Incident Response Team (PSIRT) advisory. An attacker could exploit this bug to achieve RCE when a victim user visits the attacker’s malicious website.

CVE-2023-45590 impacts versions 7.2.0, 7.0.6 through 7.0.10, and 7.0.3 through 7.0.4 of FortiClientLinux, Fortinet’s cybersecurity solution for Linux operating systems.

To defend against RCE exploits, users will need to upgrade to at least FortiClientLinux version 7.2.1 or 7.0.11. (Laura French / SC Media)

Related: Fortinet, Security Week, CRN, CISA, CERT-EU

Google has announced a new version of its browser for organizations, Chrome Enterprise Premium, which offers extended security controls for a monthly fee per user.

The product is a step up from Chrome Enterprise, which has been demoted to Chrome Enterprise Core. It provides threat and data protection, increased control options, and reporting capabilities.

Compared to the Core variant, Chrome Enterprise Premium is generally available for a monthly fee of $6 for each user and provides organizations extra security through various capabilities. (Ionut Ilascu / Bleeping Computer)

Related: Chrome Enterprise, TechCrunch, Computerworld, Tech Radar, The Register, Cyber Security News, NewsBytes

Israeli cloud security decacorn Wiz has announced the acquisition of fellow Israeli startup Gem Security for an estimated $350 million in cash.

With a valuation of $10 billion and $900 million raised to date, Wiz aims to add to its Cloud Native Application Protection Platform (CNAPP) with Gem's technology. (Meir Orbach / Calcalist)

Related: Fortune, Dark Reading, CRN, Globes Online

Best Thing of the Day: How Not to Rebrand Yourself

Security researcher Dominic Alvieri pointed out that the LockBit gang is planning to rebrand itself as DarkVault but bungled its efforts to disguise itself by accidentally including several of LockBit's current branding designs on the new DarkVault leak site.

Worst Thing of the Day: A Near-Doubling of Compromises

The Identity Theft Resource Center reports that the first three months of 2024 saw 841 publicly reported “data compromises,” up 90% over the same period last year, even as the victim counts declined.

Closing Thought