Apple patches zero-days, MOVEit Transfer vuln leaks and the FBI gets cute

Nikolai Chernichenko / Unsplash

Welcome to Changelog for 6/25/23, published by Synack! Nathaniel Mott here after our Juneteenth break with the latest security news.

 

The payload

So much for Apple helping the NSA compromise iPhones in the former Soviet bloc. The company released updates for macOS, iOS and iPadOS on June 21 to address a trio of actively exploited zero-day vulnerabilities in the XNU kernel and WebKit browser engine it uses across its many platforms.

That release was accompanied by a Kaspersky report about a spyware implant it called TriangleDB, which the company said was used as part of the Operation Triangulation campaign it revealed on June 1. The FSB said at the time that this campaign showed that Apple was collaborating with the NSA to enable the exploitation of its products to further U.S. interests.

I said in a previous newsletter that the FSB’s claims seemed unlikely. Now we have a coordinated effort between Kaspersky and Apple to remediate the vulnerabilities exploited as part of Operation Triangulation. (Kaspersky said on June 5 that it had “shared information with the Apple Security Research team” regarding the vulns mentioned in its initial report.)

So far this has played out like the revelation of other zero-days in Apple’s products: The group that discovered the flaws published a report and sent details to Apple so it could develop patches to remediate the exploited vulnerabilities. Even if the NSA is responsible for Operation Triangulation — Kaspersky hasn’t publicly attributed the campaign to a particular group at time of writing — it doesn’t seem like Apple supported those efforts.

The week, compiled

Don’t you hate it when you accidentally leak a zero-day on Twitter? Probably not as much as Progress Software did when a new exploit for its MOVEit Transfer product — the one we’ve discussed for the last three Changelog installments — was publicly revealed on June 15.

An exploit writer known as “MCKSys Argentina” (probably not his real name) told Bloomberg that “he was trying to replicate and publish the method for the second zero-day found by Huntress, which had already been patched, in order to share information about that fixed vulnerability […] except that the bug turned out to be new.”

 1_xNySYEOoj3KGhebJP9Ccvw
Brett Jordan / Unsplash

All of which means the disclosure of a seemingly humdrum SQL injection exploit has since led to the discovery of vulnerabilities that can lead to arbitrary code execution on systems running unpatched versions of the software. Additional vulnerabilities seem likely to be discovered as other researchers poke and prod at MOVEit Transfer in the coming weeks.

Also from last week:

TechCrunch: It seems the feds had a bit of fun while they seized the BreachForums domain, because on June 22 FBI and friends updated their usual “This Domain Has Been Seized” splash page with an illustration of “Pompompurin” in handcuffs to reflect the March arrest of alleged BreachForums founder Connor Brian “Pompompurin” Fitzpatrick.

WSJ: The consequences of Reddit’s decision to kill third-party apps by introducing exorbitant API usage fees kept on comin’ as BlackCat threatened to leak confidential information stolen in February if the company doesn’t reverse that decision and pay a $4.5 million ransom.

NYT: The Biden administration is reportedly worried about the privacy and security concerns of allowing China-based cloud computing companies like Huawei and Alibaba to continue operating in the U.S. and abroad without stricter regulations meant to curb the Chinese government’s ability to access sensitive information as it makes its way through their servers.

A message from Synack

Dive deep into the top software flaws of 2022 in Synack’s inaugural State of Vulnerabilities report. Researchers on the elite Synack Red Team uncovered a record 14,800 exploitable vulnerabilities across Synack targets last year, ranging from authentication failures to SQL injections. The report shares insights into the root causes of these security gaps. Learn how Synack finds the vulnerabilities that matter and check out the full report here.

Flash memory

The public messaging around ransomware attacks is often pretty straightforward: don’t pay. But many organizations decide to pay the ransom anyway. Sometimes it’s because whoever compromised them has threatened to leak sensitive information; sometimes it’s because the cost of recovering from an incident can be higher than the ransom itself. And sometimes it’s because the victim is attempting to respond to a pandemic.

ZDNet reported in June 2020 — around the time most people realized COVID-19 should be taken seriously— that the University of California at San Francisco (UCSF) “admitted to paying a partial ransom demand of $1.14 million to recover files locked down by a ransomware infection.” (The group behind the attack, Netwalker, originally demanded $3 million.)

UCSF said that “this incident did not affect our patient care delivery operations, overall campus network, or COVID-19 work.” BBC reported that the university was “working on a cure” for COVID-19, however, and the Justice Department said in 2021 that Netwalker “specifically targeted the healthcare sector during the COVID-19 pandemic.”

Those organizations were already struggling to respond to the pandemic; it’s little wonder the pleas for them not to pay to restore their systems often fell on deaf ears. These attacks did eventually catch up to at least one Netwalker affiliate: Sebastien Vachon-Desjardins was sentenced to 20 years in prison and ordered to forfeit $21.5 million in October 2022.

Local files

BleepingComputer: UPS was a bit sneaky last week as it sent out data breach notifications to its customers in Canada that, as BleepingComputer put it, “seem[ed] to be a warning to customers about the dangers of phishing” rather than a heads-up that data about them may have been compromised.

Wired: Documents obtained by the American Civil Liberties Union showed that the FBI has pushed state and local police departments to stay mum about phone surveillance capabilities in exchange for access to cell-site simulators, better known as Stingrays, to assist with their investigations.

The Record: The UK’s National Cyber Security Centre said last week that British law firms needed to step up their security as ransomware gangs, state-backed hackers and others seek access to sensitive information about their clients. (Some of which is privileged, which means the firms can be and have been fined if their poor security postures lead to a breach.)

Off-script

I turned 31 last Sunday, which meant I got to celebrate my birthday and Father’s Day by hanging out with my family, going to a local park and… configuring the Linux system I built with my friends the day before.

Maybe it was realizing that I would officially cross that line between “I’m in my 20s!” and “ugh, I’m in my 30s.” Maybe it was the increasing amount of gray in my hair. All I know is that a few weeks ago I decided that it was time to remove Windows 11 from my PC and install NixOS. (Which is about as different an experience you can have without buying, like, a mainframe.)

 1_tqbJlB3K8Ma1xzSecHcSqA
Vadim Bogulov / Unsplash

That didn’t end up happening. I decided to make things slightly easier on myself by installing Arch (btw) rather than NixOS — and I say “slightly” because I also decided to proceed without a desktop environment while using Wayland with Nvidia hardware on a system that relies on a USB adapter for WiFi access because my home office isn’t wired for ethernet.

If that paragraph sounds like gobbledygook to you, congratulations! If it sounds like an invitation to critique my setup, it wasn’t! But if it sounds like fun, well, I hope you’ll join me in learning to computer in a slightly weirder way as I avoid thinking about what I’m going to do a decade from now.

That’s all for now — please send any feedback to nmott@synack.com or bsobczak@synack.com. See you next Sunday!