A matter of triangulation |
Posted by: harlan4096 - Yesterday, 08:33 - Forum: Kaspersky Security Blog
- Replies (2)
|
 |
Quote:Targeted attack on our management with the Triangulation Trojan.
![[Image: triangulation-attack-on-ios-featured.jpg]](https://media.kasperskydaily.com/wp-content/uploads/sites/92/2023/06/01091307/triangulation-attack-on-ios-featured.jpg)
Hi all,
Today – some breaking cybersecurity news on an incident we’ve just uncovered…
Our experts have discovered an extremely complex, professional targeted cyberattack that uses Apple’s mobile devices. The purpose of the attack is the inconspicuous placing of spyware into the iPhones of employees of at least our company – both middle and top management.
The attack is carried out using an invisible iMessage with a malicious attachment, which, using a number of vulnerabilities in the iOS operating system, is executed on a device and installs spyware. The deployment of the spyware is completely hidden and requires no action from the user. The spyware then quietly transmits private information to remote servers: microphone recordings, photos from instant messengers, geolocation, and data about a number of other activities of the owner of the infected device.
Despite the attack being carried out as discreetly as possible, the infection was detected by the Kaspersky Unified Monitoring and Analysis Platform (KUMA) – a native SIEM solution for security information and event management; in the beginning of the year the system detected an anomaly in our network coming from Apple devices. Further investigation by our team showed that several dozen iPhones of senior employees were infected with new, extremely technologically sophisticated spyware we’ve dubbed “Triangulation”.
Due to the closed nature of iOS, there are no (and cannot be any) standard operating-system tools for detecting and removing this spyware on infected smartphones. To do this, external tools are needed.
An indirect indication of the presence of Triangulation on the device is the disabling of the ability to update iOS. For more precise and reliable recognition of an actual infection, a backup copy of the device needs to be made and then checked with a special utility. More detailed recommendations are set out in this technical article on Securelist. We’re also developing a free detection utility and will make it available once tested.
Due to certain peculiarities inherent in the blocking of iOS updates on infected devices, we’ve not yet found an effective way to remove the spyware without losing user data. It can only be done by resetting infected iPhones to the factory settings and installing the latest version of the operating system and the entire user environment from scratch. Otherwise, even if the spyware is deleted from the device memory following a reboot, Triangulation is still able to re-infect through vulnerabilities in an outdated version of iOS.
Our report on Triangulation represents just the beginning of the investigation into this sophisticated attack. Today we’re publishing the first results of the analysis, but there’s still a lot of work to do. As the incident continues to be investigated, we’ll be updating new data in a dedicated post on Securelist, and will share our full, finalized findings at the international Security Analyst Summit in October (follow the news on the site).
We’re confident that Kaspersky was not the main target of this cyberattack. The coming days will bring more clarity and further details on the worldwide proliferation of this spyware.
We believe that the main reason for this incident is the proprietary nature of iOS. This operating system is a “black box”, in which spyware like Triangulation can hide for years. Detecting and analyzing such threats is made all the more difficult by Apple’s monopoly of research tools – making it a perfect haven for spyware. In other words, as I’ve often said, users are given the illusion of security associated with the complete opacity of the system. What actually happens in iOS is unknown to cybersecurity experts, and the absence of news about attacks in no way indicates their being impossible – as we’ve just seen.
I’d like to remind you that this is not the first , case of a targeted attack against our company. We’re well aware that we work in a very aggressive environment, and have developed the appropriate incident response procedures. Thanks to the measures taken, the company is operating normally, business processes and user data are not affected, and the threat has been neutralized. We continue to protect you, as always.
P.S. Why “Triangulation”?
To recognize the software and hardware specifications of the attacked system, Triangulation uses Canvas Fingerprinting technology and draws a yellow triangle in the device’s memory.
...
Continue Reading
|
|
|
AMD Demoes Ryzen AI at Computex 2023 |
Posted by: harlan4096 - Yesterday, 08:25 - Forum: Hardware News
- No Replies
|
 |
Quote:AI for the masses.
I visited AMD's office here in Taipei, Taiwan, during Computex 2023 to have a conversation with David McAfee, the company's Corporate VP and General Manager of the Client Channel Business. I also had a chance to see AMD's Ryzen XDNA AI engine at work in a laptop demo, and McAfee discussed the steps AMD is taking to prepare the operating system and software ecosystem for the burgeoning AI use cases that will run locally on the PC, which we'll dive into further below.
After following the AMD codename-inspired hallway map you see above, I found my way to the demo room to see AMD's latest tech in action. AMD's demo laptop was an Asus Strix Scar 17 that comes powered by AMD's 4nm 'Phoenix' Ryzen 9 7940HS processor paired with Radeon 780M graphics. These 35-45W chips come with the Zen 4 architecture and RDNA 3 graphics. AMD also had an Asus ROG Zephyrus G14 running the same demo.
The XDNA AI engine is a dedicated accelerator that resides on-die with the CPU cores. The goal for the XDNA AI engine is to execute lower-intensity AI inference workloads, like audio, photo, and video processing, at lower power than you could achieve on a CPU or GPU while delivering faster response times than online services, thus boosting performance and saving battery power.
First, I popped open the task manager to see if the AI engine would enumerate itself as visible cores with utilization metrics, but the XDNA AI engine doesn't show up as a visible device in the task manager. As you can see in the above album, I found the AI engine listed as the 'AMD IPU Device' in the device manager. However, we couldn't observe the load or other telemetry from the cores during the tests.
Here we can see the XDNA AI engine crunching away at a facial recognition workload. To the right of the screen, we can see a measurement of the latency for each step of the workload. The bars are impressively low, and the workload ran quickly through a series of images as the AI engine crunched through the inference workload, but we don't have any context of just how those figures compare to other types of solutions.
AMD's demo did have a button to test its onboard AI engine against the online Azure ONNX EP service, but the demo team told us they had encountered issues with the software, so it wasn't working. Naturally, we would expect the in-built Ryzen AI engine to have lower latency than the Azure service, and logically, that is what AMD was trying to demonstrate. Unfortunately, we were left without a substantiative comparison point for the benchmark results.
However, the benchmark does show that AI is alive and breathing on AMD's Ryzen 7040 processors, and the company is also well underway in bolstering the number of applications that can leverage its AI engine.
This engine can handle up to 4 concurrent AI streams, though it can be rapidly reconfigured to handle varying amounts of streams. It also crunches INT8 and bfloat16 instructions, with these lower-precision data types offering much higher power efficiency than other data types -- at least for workloads, like AI inference, that can leverage the benefits. AMD claims this engine, a progeny of its Xilinx IP, is faster than the neural engine present on Apple's M2 processors.
The engine is plumbed directly into the chips' memory subsystem, so it shares a pool of coherent memory with the CPU and integrated GPU, thus eliminating costly data transfers to, again, boost power efficiency and performance.
AMD announced last week at Microsoft's Build conference that it had created a new set of developer tools that leverage the open-source Vitis AI Execution Provider (EP), which is then upstreamed in ONNX runtime, to ease the work required to add software support for the XDNA AI engine. McAfee explained that the Vitis AI EP serves as a sort of bare metal translation layer that allows developers to run models without having to alter the base model. That simplifies integration, and AMD's implementation will currently work with the same applications that Intel uses with its VPU inside Meteor Lake, like Adobe. Also, much like Intel's approach, AMD will steer different AI inference workloads to the correct type of compute, be it the CPU, GPU, or XDNA engine, based upon the needs of the workload.
AMD isn't providing performance metrics for its AI engine yet, but McAfee noted that it's hard to quantify the advantages of an onboard AI engine with just one performance metric, like TOPS, as higher power efficiency and lower latency are all parts of the multi-faceted advantages of having an AI engine. AMD will share figures in the future, though.
McAfee reiterated AMD's plans to continue to execute its XDNA AI roadmap, eventually adding the engine to other Ryzen processors in the future. However, the software ecosystem for AI on the PC is still in its early days, and AMD will continue to explore the tradeoffs versus the real-world advantages.
Much of the advantage of having an inbuilt AI engine resides in power efficiency, a must in power-constrained devices like laptops, but that might not be as meaningful in an unconstrained desktop PC that can use a more powerful dedicated GPU or CPU for inference workloads -- but without the battery life concerns.
I asked McAfee if those factors could impact AMD's decision on whether or not it would bring XDNA to desktop PCs, and he responded that it will boil down to whether or not the feature delivers enough value that it would make sense to dedicate valuable die area to the engine. AMD is still evaluating the impact, particularly as Ryzen 7040 works its way into the market.
For now, AMD isn't confirming any of its future plans, but McAfee said that while AMD is committed to the AI engine being a part of its future roadmaps, it might not come to all products. On that note, he said there could conceivably be other options for different types of chips, like desktop PCs, that leverage AMD's chiplet strategy. Other options, like add-in cards, are also possible solutions.
One thing is for sure: We'll continue to see the scalable integrated XDNA AI engine make an appearance in many of AMD's products in the future. Hopefully, next time we'll see a better demo, too.
...
Continue Reading
|
|
|
Brave Browser 1.52 adds vertical tabs support |
Posted by: harlan4096 - 01 June 23, 09:00 - Forum: Browsers News & Tips
- No Replies
|
 |
Quote:Brave Software released Brave Browser 1.52 yesterday. The new version of the Chromium-based web browser adds support for vertical tabs.
Vertical tabs allow users of the browser to move the horizontal tab bar to the left side of it. Vertical tabs "help eliminate overcrowding" according to Brave Software's announcement of the feature.
Vertical tabs offer offer some advantages over horizontal tabs, including that they usually display more tabs at the same time and that the visibility of titles is improved. They work well when widescreen monitors are used and not so well if there is limited space available.
![[Image: brave-browser-vertical-tabs.png]](https://www.ghacks.net/wp-content/uploads/2023/06/brave-browser-vertical-tabs.png)
Brave Browser's implementation of vertical tabs is disabled by default. Brave users may enable it by loading brave://settings/appearance in the browser's address bar and setting the "use vertical tabs" option to enabled.
All common tab-related tasks and options remain available. You can still use Ctrl-T to open a new tab, or use buttons to do so, and close tabs using the x-icon when hovering over a tab. Pinned tabs are displayed at the top before all tabs that are not pinned, and the right-click context menu displays the same options, including one to toggle the vertical tabs feature.
![[Image: brave-browser-vertical-tabs-settings.png]](https://www.ghacks.net/wp-content/uploads/2023/06/brave-browser-vertical-tabs-settings.png)
Two additional options become available when the vertical tabs feature is enabled:- Show title bar -- determines whether the title bar is displayed or hidden.
- Expand vertical tabs panel on mouseover or when collapsed -- Brave includes the ability to shrink the vertical tabs sidebar to a smaller icon-based sidebar. This feature expands tabs automatically when the mouse is hovered over the area.
The collapsed vertical tab interface looks like this:
![[Image: brave-browser-tabs-collapsed.png]](https://www.ghacks.net/wp-content/uploads/2023/06/brave-browser-tabs-collapsed.png)
Vertical tabs in Brave Browser support groups. Group titles are displayed on top of groups open in the particular browser window.
Tabs can be moved around by using drag & drop operations. One thing that is missing is a hierarchy, similarly to what the Firefox extension Tree Style Tab and others supported for many years. This would display the relationship between tabs in the sidebar.
Brave Browser remembers the user's selection and will start the browser in the selected tab display mode.
Brave 1.52 other changes
Brave Browser version 1.52 includes other changes. While several of them are related to Web3 functionality, mostly associated with crypto-functionality, others improve the browser in other ways.
Brave engineers have restored the option to manage cookies per website. This allows users of the browser to display all cookies set by a particular website and to delete them individually.
Users may load brave://settings/content/all in the address bar to get to the list of sites and their stored cookies directly.
![[Image: copy-text-from-image.png]](https://www.ghacks.net/wp-content/uploads/2023/06/copy-text-from-image.png)
A new feature is the ability to copy text from images on Windows devices. A right-click on an image displays text that Brave identified in a small popup on the screen.
Brave Browser's handling of localhost resources has changed. The browser blocked these outright up until now, unless they were included in a allow-list. The new Localhost connections permission gives users control over these request, so that they may be allowed or blocked individually.
Localhost access is sometimes required for legitimate purposes. The option works for URLs only currently, but Brave plans to add support for resolved IP addresses in a future update.
Brave's download manager has received two changes. The first adds a new "remove from list" option to the context menu of downloaded items, the second displays a new alert icon when downloads use insecure connections.
The entire release notes are available here. Brave Browser updates itself automatically. You can check the installed version on the browser's about page, which you may load brave://settings/help directly.
Brave Software unveiled the browser's Off the Record feature recently, which will launch later this year.
Now You: have you tried Brave recently?
...
Continue Reading
|
|
|
These Android apps found to carry malicious spyware |
Posted by: harlan4096 - 01 June 23, 08:52 - Forum: Privacy & Security News
- No Replies
|
 |
Quote:A significant number of Android apps, including several that were previously available on the Google Play Store, have been discovered to contain a potentially dangerous software development kit.
The recently identified SDK, known as "SpinOK," was brought to light by Dr. Web. This particular software development kit is an advertising module that utilizes various tactics, such as offering mini-games and daily rewards, to engage users and maintain their interest in the displayed advertisements.
Upon investigation, Dr. Web uncovered an SDK and bestowed upon it the name "SpinOK." Disguised as a seemingly innocuous ad module employing enticing features like mini-games and daily prizes, SpinOK aimed to sustain user engagement with the displayed advertisements.
However, unbeknownst to users, this seemingly harmless module was surreptitiously extracting sensitive information from the device it was installed on. As a result, users unwittingly faced heightened risks of identity theft, wire fraud, and various other forms of cybercrime.
"On the surface, the SpinOk module is designed to maintain users' interest in apps with the help of mini games, a system of tasks, and alleged prizes and reward drawings," the researchers stated.
Beyond its deceptive functionality, the discovered SDK was involved in extensive data theft through the compromised apps. To ensure it was not operating within a sandbox environment, the malicious software checked the sensors of the targeted device.
![[Image: apps-android_02.jpg]](https://www.ghacks.net/wp-content/uploads/2023/05/apps-android_02.jpg)
Once confirmed, it established a network connection to fetch a roster of URLs essential for rendering the embedded mini-games. Disturbingly, this allowed the SDK to pilfer a wide range of content, including videos, photos, and other private information. By systematically scanning directories, searching for specific documents, and subsequently transferring them to a remote server, the malware enabled unauthorized access to users' sensitive files.
Additionally, the malware exhibited a common tactic employed by malicious actors: monitoring the clipboard to collect sensitive information. This technique heightened the risk of further data exposure, as the SDK clandestinely tracked and intercepted data stored in the clipboard, potentially compromising critical details and exacerbating the threat to user privacy.
Over 420 million downloads
The extent of the SDK's reach is staggering, with over 420 million instances of apps containing this SDK being downloaded solely from Google Play. Among the compromised apps, researchers identified two highly popular ones, Noizz: video editor with music and Zapya - File Transfer, Share, both boasting over 100 million users.
The trojan module was found in versions 6.3.3 through 6.4 of Zapya, while version 6.4.1 was verified as clean. Notably, other heavily downloaded apps, including MVBit (an MV video status producer) and Biugo (a video maker and editor), accumulated over 50 million downloads each.
Here are some of the most downloaded apps identified by Dr. Web:
- Noizz: video editor with music - 100,000,000 downloads
- Zapya – File Transfer, Share - 100,000,000 downloads (Trojan module present in versions 6.3.3 to 6.4, but absent in the current version 6.4.1)
- VFly: video editor&video maker - 50,000,000 downloads
- MVBit – MV video status maker - 50,000,000 downloads
- Biugo – video maker&video editor - 50,000,000 downloads
- Crazy Drop - 10,000,000 downloads
- Cashzine – Earn money reward - 10,000,000 downloads
- Fizzo Novel – Reading Offline - 10,000,000 downloads
- CashEM: Get Rewards - 5,000,000 downloads
- Tick: watch to earn - 5,000,000 downloads
The article reports that nearly all of the implicated apps have been removed from Google Play Store, and interested readers can consult the comprehensive list of affected apps for further information.
...
Continue Reading
|
|
|
Google Chrome 114 closes 16 security issues and improves security |
Posted by: harlan4096 - 01 June 23, 08:39 - Forum: Browsers News & Tips
- No Replies
|
 |
Quote:Google has released a new version of its web browser today. Google Chrome 114 is the latest stable version of the browser for desktop operating systems and Android. It patches 16 security issues according to the official announcement on the Chrome releases blog.
Google reveals information about 13 of the 16 vulnerabilities only: 8 security issues have a severity rating of high, 4 a rating of medium and one a low rating. The remaining security issues are not published publicly, as they have been found internally by Google.
Google makes no mention of exploits that are out in the wild already. While that may be reassuring, it is still recommended to update Chrome to version 114 quickly to close the security vulnerabilities.
Google addressed an out of bounds write in Swiftshader, several use after free in components such as Extensions and PDF, type confusion issues in V8, and another out of bounds memory access issue in Mojo.
How to update Google Chrome
Chrome users who run the browser on desktop systems may update the browser by loading chrome://settings/help in the address bar or by selecting Menu > Help > About Google Chrome.
The installed version is displayed on the page and a check for updates is performed. The browser will download any update that it finds to install it. A restart of the web browser is required to complete the update.
One of the following versions should be listed on the page after the installation of the update:- Linux and Mac: Chrome 114.0.5735.90
- Windows: Chrome 114.0.5735.90 or Chrome 114.0.5735.91
- Android: 114.0.5735.57 or 114.0.5735.8
- Windows (Extended Stable) : 114.0.5735.91
- Mac (Extended Stable): : 114.0.5735.90
Google Chrome 114: non-security changes
Google Chrome 114 is a new major version of the web browser. The Chrome Enterprise and Education release notes provide information on new features that found their way into the web browser.
One of the main changes in Chrome 114 for Android, ChromeOS and Linux is the switch from using the operating system's certificate store to Chrome's own certificate store. This brings Chrome on these three systems in line with Chrome on Windows and Mac, which were switched already.
Administrators may configure the policy ChromeRootStoreEnabled to prevent the migration from happening at this stage. The policy will be removed in Chrome 120. The policy is no longer available for Mac and Windows devices.
Google lists support for the Private State Tokens API, formerly known as Trust Tokens, as another feature that has been integrated into the browser.
"The Private State Token API is a new API for propagating user signals across sites, without using cross-site persistent identifiers like third party cookies for anti-fraud purposes" writes Google in a support document. Current anti-fraud techniques that rely on third-party cookies will stop working once support ends in Chrome. Google announced recently that it will drop support for third-party cookies in 2024 in Chrome.
Google has released an article for developers that explains the functionality. Broken down to its core, the new API may be used to use trust tokens on different sites so that users do not have to regain trust, e.g., through captchas.
Google has implemented a security feature in Chrome 114 for Windows that protects cookie files on disk against unauthorized access.
Here is a quick overview of other changes:- Old tabs are grouped under Inactive Tabs in the Tab grid on iPhone and iPad.
- Chrome's password manager is now called Google Password Manager. Google lists three new features:
- grouping of similar passwords.
- improved checkup flow.
- password manager shortcut can be added to the desktop.
- Improved password checking on iOS to find out if passwords are considered unsafe.
- Improved editing of notes in the new Google Password Manager.
- Test of a new Bookmarks side panel experience in Chrome that supports filtering, sorting and editing.
- Chrome's Safe Browsing feature, if set to Standard or Enhanced, will recursively unpack downloads of nested archives now to improve protection against malware that uses nested archives.
- Chrome settings synced on iOS or Android are kept separate from local Chrome settings, which were set when sync was off.
- Chrome on iOS supports opening multiple tabs that were open recently on Android.
Now You: what is your take on these new features?
...
Continue Reading
|
|
|
Microsoft discovered an exploit in macOS that could bypass System Integrity Protectio |
Posted by: harlan4096 - 01 June 23, 08:31 - Forum: Privacy & Security News
- No Replies
|
 |
Quote:Microsoft has revealed that its security engineers had discovered an exploit in macOS that could be used to bypass the System Integrity Protection (SIP). Apple has patched the security vulnerability that was code-named Migraine.
What is the Migraine exploit in macOS
As Microsoft's report explains, SIP, also called rootless, is a security technology that was introduced in macOS Yosemite. The sandboxing mechanism is in place to restrict a user with root access from compromising the system's integrity. If not for it, a hacker could breach the system and install some malware on the computer, while creating additional attack vectors.
The report from the Redmond company notes that it used the same malware hunting technique that it had employed to discover the Shrootless vulnerability that it had discovered in 2021. This involved focusing on system processes that were signed by Apple that have the com.apple.rootless.install.heritable entitlement, i.e. a privilege that can be used for particular capabilities. The researchers found 2 child processes that they were able to tamper and gain arbitrary code execution, which allowed them to bypass the operating system's security checks related to SIP.
![[Image: Microsoft-security-engineers-discover-Mi...-macOS.jpg]](https://www.ghacks.net/wp-content/uploads/2023/05/Microsoft-security-engineers-discover-Migraine-exploit-in-macOS.jpg)
The vulnerability affects macOS' Migration Assistant, hence the name, Migraine. The tool has a Setup Assistant that helps users switch from a Mac or a PC to a new Mac, this is handy when someone buys a new Mac. The exploit that affects the utility works when the user has signed out of the system completely. Microsoft says that this flaw isn't limited to physical access, and that hackers could trigger it remotely to bypass SIP.
The researchers reverse engineered the Migration Assistant to unearth a function that signs out the user. They tried patching it to prevent the process and failed initially, but helped them discover some debug parameters. They then used the commands to trigger Migration Assistant to run without signing out the user. Microsoft's security engineers created a 1GB Time Machine backup with an arbitrary payload (like a malware) and used an AppleScript to mount it, and trigger the Migration Assistant to start loading the malware.
The researches say that this method of bypassing the SIP could have dangerous consequences such as undeletable malware (persistent), and could be used for installing rootkits, trigger kernel code attacks, etc, that could be used.
Microsoft Threat Intelligence shared its findings with Apple through the Coordinated Vulnerability Disclosure. The security issue was tracked as CVE-2023-32369.
Apple has already patched the Migraine exploit
Apple released macOS Ventura 13.4, macOS Monterey 12.6.6 and macOS Big Sur 11.7.7 on May 18th. The updates contained a patch to fix the Migraine exploit, so you don't need to be worried about your Mac's security if you have installed the latest OS update. If you are yet to update your machine, you should do so as soon as possible.
The Cupertino company had credited Jonathan Bar Or, Anurag Bohra, and Michael Pearse of Microsoft for discovering the security vulnerability (related to libxpc) and reporting it to Apple. It's also worth noting that the Migraine vulnerability was not one of the 3 actively exploited security issues that were addressed in the update.
...
Continue Reading
|
|
|
|
Welcome
|
You have to register before you can post on our site.
|
Online Staff
|
There are no staff members currently online. |
|

|