Apple releases patches for NSO Group’s ForcedEntry zero-day

This is the NSO exploit disclosed in August and which was used to hack Bahraini activists.

therecord.media/apple-releases…
In an additional report today, Citizen Lab said the same exploit was also used to hack the iPhone of a Saudi activist: citizenlab.ca/2021/09/forced…
Apple releases formal statement regarding ForcedEntry exploit:

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Catalin Cimpanu

Catalin Cimpanu Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @campuscodi

26 Jul
NEW: Apple released a patch today for an iOS and macOS zero-day, the 13th zero-day detected and patched this year across its products

therecord.media/apple-releases…
Let me save you a click. Links to security advisories below. Image has the technical deets:

support.apple.com/en-us/HT212623
support.apple.com/en-us/HT212622
All in all, this is the 13th zero-day Apple patched this year.

Although some have suggested via DM, there's no evidence to link these zero-days to NSO or the Pegasus tool.
Read 6 tweets
19 Jul
Breaking: The DOJ has indicted four members of APT40

-three were named as MSS officers for the local Hainan office
-one was a computer hacker hired for their front company (Hainan Xiandun)

therecord.media/us-indicts-fou…
Per court documents, APT40 was run via a front company from the island of Hainan.

The DOJ charges today basically confirm two IntrusionTruth reports from January 2020:

intrusiontruth.wordpress.com/2020/01/16/apt…

intrusiontruth.wordpress.com/2020/01/09/wha…
The DOJ indictment goes into a breadth of technical details not usually seen in DOJ docs, such as detailing industry names, malware families, and even exfil methods, such as using steganography to hide stolen data in Trump images

See PDF: justice.gov/opa/press-rele…
Read 5 tweets
2 Jul
Breaking: The REvil ransomware gang is currently executing a massive supply chain attack via malicious update to Kaseya VSA, a software platform used by MSPs

therecord.media/revil-ransomwa…
News of the attack first surfaced earlier today on a Reddit section dedicated to MSPs, which are usually the companies that run VSA

old.reddit.com/r/kaseya/comme…
Sophos confirmed the incident a few hours later:

Read 10 tweets
2 Jul
NEW: There has been quite some activity from the TrickBot gang recently. This includes:

-developing a new ransomware strain called Diavol
-bringing back its banking module to life after a year and updating it with Zeus-style webinjects

therecord.media/trickbot-new-a…
Diavol was seen only in one incident, and appears to be in development. No leak site, no code to prevent execution on Russian networks, and loads of Conti similarities.

IOCs: fortinet.com/blog/threat-re…
The move to bring bank its banking module is however a tad bit strange, especially since most banks have pretty good security systems in place, which has led to the demise of banking trojans in the first place

IOCs: kryptoslogic.com/blog/2021/07/t…
Read 4 tweets
1 Jul
NEW: In joint security advisories today from the NSA, FBI, CISA, and UK NCSC, the four agencies detailed a two-year-long brute-force campaign against cloud environments carried out by APT28 (GRU military unit 26165)

therecord.media/fbi-nsa-russia…
The advisory provides more details on the APT28 brute-force tactic that Microsoft first detailed back in Sep 2020: microsoft.com/security/blog/…

The joint advisory PDF is here: media.defense.gov/2021/Jul/01/20…
Some of the deets:

-brute-force attacks are used as entry point and lateral movement usually occurs (usually against Exchange servers via CVE-2020-0688 and CVE-2020-17144)

-APT28 likes to use Tor and loads of commercial VPN providers to hide brute-force attempts
Read 4 tweets
7 Jun
DOJ officials say they recovered most of the Colonial ransomware payment

Per court docs, the DOJ recovered 63.7 of the 75 BTC ransom payment, which is around 85% of the ransom

therecord.media/doj-officials-…
Here's the Bitcoin address from where they seized the funds today: bc1qq2euq8pw950klpjcawuy4uj39ym43hs6cfsegq

blockchain.com/btc/address/bc…
Per court documents, the ransom payment moved a lot across the blockchain, but it doesn't appear to have been laundered through a mixer.

They [Darkside] just shuffled it around a couple of times, and that was it.
Read 6 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!

:(