Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Costin Raiu Profile picture
@craiu
Sep 14, 2021 8 tweets 3 min read Read on X
How to check iOS devices for signs of CVE-2021-30860 / FORCEDENTRY exploitation (for context, see @citizenlab's 13.09.2021 blog). #nso #pegasus #malware #ios
Make an unencrypted iTunes backup, or use MVT (docs.mvt.re/en/latest/inde…) to decrypt an encrypted one. You can also check older backups, if you have them. (it's a good idea to make regular iTunes backups for all your devices, precisely for this reason)
Use DB Browser for SQLite (see sqlitebrowser.org) to open Manifest.db, in the root folder of the iTunes backup. Make sure you open it read-only - "File -> Open Database Read Only".
Once Manifest.db is loaded, go to "Browse Data" and type "Library/SMS/Attachments". You should see something similar to this: Image
Then, type space (" ") and .gif, to check for any .gif files in "Library/SMS/Attachments". Full search string should be "Library/SMS/Attachments .gif". If you find some hits (.gif files) it's a good idea to check them further to establish maliciousness. DM for details.
According to @citizenlab, the malicious .gif files are actually .PDF and .PSD format. A gif file has a typical "GIF8..." header, like this: Image
Last but not least: finding some .gif files in SMS (iMessage) attachments is not a 100% proof that you got targeted - further checks are required to confirm the nature of these files. Also, not finding any files doesn't mean you weren't targeted. Stay vigilant.
And some more generic iOS security tips: reboot your device daily, to remove non-persistent implants. Create regular iTunes backups, to check them later for signs of compromise. Trigger sysdiags regularly and save them.

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Costin Raiu

Costin Raiu Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @craiu

Costin Raiu Profile picture
Sep 23, 2022
Here's my top 10 big "unattributed" #APT mysteries:
1. Project TajMahal: securelist.com/project-tajmah…
2. DarkUniverse - securelist.com/darkuniverse-t…
Read 12 tweets
Costin Raiu Profile picture
Feb 16, 2021
1/9 The French National Cybersecurity Agency @ANSSI_FR released a report on Hades / Sandworm infecting Centreon servers with a PHP backdoor, followed by deploying the Exaramel Linux backdoor. Some notes:
2/9 Centreon is an IT monitoring software, created by a French company with the same name. Some customers include Accor Hotels, AirFrance / KLM, Airbus, Euronews, Orange and various French gov agencies. No indication any of these were breached.
3/9 The first compromise took place in 2017 and and the campaign lasted until 2020. Campaign mostly affected information technology providers, especially web hosting providers. Important: the initial compromise method is not known.
Read 9 tweets
Costin Raiu Profile picture
Dec 21, 2020
Cracking the Sunburst / Solorigate "do not infect" domain hashes, a thread 👉
In their comprehensive analysis of Sunburst / Solorigate, Microsoft highlights an interesting fact: that certain domains are excepted from further infection. microsoft.com/security/blog/…
To quote, "The domain must not contain certain strings; the check for these strings is implemented via hashes, so at this time the domain names that are block-listed are unknown[...] If any of these checks fail, the backdoor terminates"
Read 8 tweets
Costin Raiu Profile picture
Jan 10, 2019
Today, Singapore gov published a large, thorough, 450+ pages analysis report on the Health Services Private Ltd hack. Here's a summary analysis highlighting the most interesting findings. Full report is available at: mci.gov.sg/coireport
The attackers breached Singapore Health Services through a vulnerability in Outlook. Although a patch was available, the systems were not updated. As a side note, it is quite rare that we see attackers exploiting vulnerabilities in Outlook.
Once on the host, the attackers collected passwords and began moving laterally. Some of the passwords were weak and their hashes easily crackable by tools such as @hashcat. Sadly, ‘P@ssw0rd’ is way too common in IT environments.
Read 10 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(