Apple quickly patched a zero-click vulnerability in iOS, iPadOS, and macOS that could have allowed attackers to compromise devices and steal sensitive data, including cryptocurrency wallets. The flaw, related to the processing of malicious images via Apple's Image I/O framework, posed a high risk for crypto users, especially those storing assets on their devices. Apple advised all users to update their devices immediately to mitigate the threat, which was linked to sophisticated targeted attacks.
Security researchers have revealed technical details about two now-patched security flaws in Microsoft Windows that could be exploited by threat actors to achieve remote code execution on the Outlook email service without any user interaction. The vulnerabilities, CVE-2023-35384 and CVE-2023-36710, were addressed by Microsoft in August and October 2023, respectively. CVE-2023-35384 is a bypass for a critical security flaw that Microsoft patched in March 2023, and it can be used to steal NTLM credentials and conduct a relay attack. The vulnerabilities can be chained together to create a full zero-click remote code execution exploit against Outlook clients. Organizations are advised to use microsegmentation to block outgoing SMB connections to remote public IP addresses and to disable NTLM or add users to the Protected Users security group to mitigate the risks.
A Washington DC-based organization with international offices was targeted in an apparent Pegasus hack, according to researchers at Citizen Lab. The individual's device was found to have been infected with powerful hacking software made by NSO Group, raising concerns about the proliferation of spyware that can infect Apple devices. The attack utilized a "zero-click exploit," allowing the software to infect the user's mobile device through a previously unknown security flaw. NSO Group claims to sell its spyware only to government clients for use in fighting crime and terrorism, but there have been documented cases of misuse. The Biden administration has placed NSO on a blacklist, and the company is facing lawsuits from Apple and WhatsApp.
A new advanced persistent threat (APT) campaign called Operation Triangulation has been discovered targeting iOS devices since 2019. The campaign uses zero-click exploits via iMessage to infect devices with root-privilege malware, giving complete control over the device and user data. The malware is capable of harvesting sensitive information and running code downloaded as plugin modules from a remote server. The attack chain begins with the iOS device receiving a message via iMessage that contains an attachment bearing the exploit. The exact scale and scope of the campaign remains unclear, and it's not known if the attacks are taking advantage of a zero-day vulnerability in iOS.
