Apple exploits and more: first officer's blog - week 61

Apple exploits, Russian hacktivists and more - these are the latest stories from the world of cyber risk from the past week.

Mike Parkin | July 17, 2023

First officer’s blog

The ongoing voyages of the Federation Support Ship USS [REDACTED]

First Officer’s log, Terrestrial date, 20230717, Officer of the Deck reporting.

It was not uncommon for Federation ships to receive requests for supplies. While replicator technology was common across many Federation worlds and on any modern starship of Federation, and even on many other species ships, there were some things that were not easily replicated or were outside the energy budget of the ship or installation in question.

The “Dauntless” as the ship’s captain called it, was over a century old and, even though apparently a retired Starfleet ship, her replicators would have been limited to creating food and smaller devices. The photon torpedoes they were requesting would be beyond the capabilities of their original equipment, as would the plasma coupling. Assuming the ship had not been upgraded, which seemed to be the case.

The question remained though.

How did a vintage, though fully armed, Starfleet Frigate, or Light Cruiser, depending on who you asked about the class, end up in private hands?

Continuing the conversation with the other ship’s captain, our XO sounded amicable, if somewhat perplexed.

“Ah, Captain, it’s not Federation policy to sell armaments to private citizens. There have been cases where we’ve supplied phasers and the like for defense, but photon torpedoes aren’t light weapons.”

The Dauntless’s captain seemed quite calm about it, perhaps slightly amused. “Understand completely, Commander. Understand completely. But we’re not exactly civilians, now, are we? This was formerly a Federation warship which is, of course, quite obvious, and we do have a Letter of marque authorizing our operations as a Privateer. That makes us perfectly legitimate.”

Our XO still appeared perplexed and this “Captain Max’s” cheerfulness wasn’t disarming our 2nd in command. “As you say. Obvious. But, captain, you’re obviously not Starfleet. So I have to ask, how do you have it?”

“Therein lies a great story, Commander. Why don’t you and some of your officers beam on over and we’ll share the tale. Bring security if you like! We don’t bite. Well, my Chief Engineer does, but only if you ask her nicely. So what do you say?”

Our XO looked to the captain who was following the whole exchange with a bit of amusement himself, who nodded and made a minute gesture towards the door from the Bridge.

“Very well, Captain. We’ll be over shortly. [REDACTED] out.”

Another bite in the Apple

What happened

Apple released another set of rapid security responses to address several iOS and MacOS vulnerabilities with evidence that they have been exploited in the wild. These “Rapid Security Response” (RSR) updates have been introduced to quickly address vulnerabilities found in Apple products.

Why it matters

In spite of some mythology surrounding Apple products being “completely secure and unhackable”*, the fact is they suffer from vulnerabilities and exploits just like any other device. That said, it’s good to see Apple does take device security seriously and has started releasing patches rapidly, especially when there is evidence the vulnerability is being exploited in the wild.

With these, Apple didn’t provide a lot of detail. Regardless, if there is any evidence the exploit’s being exploited it’s better to patch sooner rather than later. That applies no matter whether it’s Application or OS level, what OS is involved, or the supposed “inherent security” of any given operating system.

What they said

As with anything Apple-related, this one got plenty of attention.

*: I’ve seen this claim made repeatedly on several popular public forums, in spite of evidence to the contrary.

You know, I predicted exactly this…

What happened

A recent report has shown that cyber criminals have developed tools based on GPT models as far back as 2021, and these tools have continued to evolve and improve over time. The author’s first conclusion in this report is that organizations need to focus on user training first, even ahead of deploying counter-BEC tools to their email systems.

Why it matters

The report parallels what I have been saying about ChatGPT and other generative AI tools since it first appeared. Yes, it can help lower the bar for creating malware, but the real threat is from improved phishing capabilities that come with these tools. When most phishers were writing like a 6th grader who’d been trained on Hooked on Phonics, it was easy to identify the hooks even if they somehow made it through the spam filters.

The current generation of conversational AI is more than capable of creating coherent and (mostly) believable hooks that are far more likely to land their target. Add some automation and some data scraping from social media sites, and you get a fully automated phishing campaign that can operate at the Spear Phish or Cast-Net* level.

What they said

AI is the hot topic these days, so it makes sense to see this story doing the rounds.

On a related note, I wrote a follow-up to our AI package hallucination piece, that touched on a few ways to proactively blunt the issue. Basically, claiming the hallucinations and using them for good, rather than dropping malware. You can read that here.

*: Cast-netting is a technique where the attacker targets an organization but doesn’t care which specific user they get. Named for the real-world fishing technique of hand throwing a net into a target area.

It’s an awful lot like herding cats.

What happened

Reports are showing that a pro-Russia “Hacktivist” group has been trying to gather other pro-Russia hacktivist groups under their banner with limited success. While their ultimate goal appears to be some kind of power play within the Russian hacktivist community, and possibly the tacit approval and support of the Russian government, their success is far from certain.

Why it matters

Russia is one of several countries that is known to turn a blind eye to cyber criminal and hacktivist groups operating within their borders, provided the threat actors aren’t targeting assets belonging to Russia or their allies. There is evidence that in some cases these organizations are supported by, if not actively a part of, the Russian’s military and intelligence apparatus.

The thing is, getting hacktivists to work together is a bit like herding cats. While they may have a common “mess up ‘The West’” goal, their specific motivations can vary widely and their cooperation is apt to be sporadic and situational at best. Whether any one group will be able to claim they’re the “leader” of these groups remains to be seen. Though it seems unlikely. But that doesn’t mean they won’t gain some State level support beyond simply being allowed to operate without the fear of legal repercussions.

What they said

This one certainly got people talking.

This may not have been the best approach.

What happened

Researchers have discovered a trojan, targeting security researchers, disguised as a Proof of Concept that was posted to GitHub. The PoC, rather than being a working exploit, was a backdoor that would have allowed access to a system that ran it. The research indicated that the PoC had been shared widely before being identified as malicious and taken down.

Why it matters

This is certainly an interesting approach, but it’s also one that seems likely to be discovered and stopped rather quickly. The attackers are, after all, targeting vulnerability researchers who are likely to be the people best equipped to identify the fake PoC’s malicious behavior. Unless things have changed a lot since I did any vulnerability research, admittedly some years back, looking at the code is going to be part of the process and it’s going to be run in a fully instrumented environment when it is tested.

That means if people don’t see the issue doing a quick code review, which the threat actors were apparently counting on, it would show up when it started acting up in testing. At least if the testing was being done safely – which is exactly what the researchers who found this did.

While I wouldn’t be surprised to hear of someone without a lot of experience being caught by this, I’d honestly be surprised and disappointed to hear about it slipping past a seasoned researcher.

What they said

Plenty. Read more here.


Want to get ahead of the stories?


Free for risk owners

Set up in minutes to aggregate and prioritize cyber risk across all your assets and attack vectors.

"Idea for an overwhelmed secops/security team".

Name Namerson
Head of Cyber Security Strategy