Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver spyware.
A little-known cyber mercenary company, QuaDream, has been identified by researchers at Microsoft and digital rights group Citizen Lab as the creator of malware that was used to hack into the iPhones of journalists, political opposition figures, and an NGO worker.
QuaDream, an Israeli spyware maker, reportedly develops zero-click exploits, which are hacking tools that do not require the target to click on malicious links, for iPhones. The final payload of QuaDream’s malware includes recording phone calls, surreptitiously capturing audio using the phone’s microphone, taking pictures, stealing files, tracking the person’s granular location, and deleting forensic traces of its existence.
Credit: Citizen Lab
Citizen Lab’s report states that its researchers were able to trace QuaDream’s spyware by identifying particular marks left by the malware, which they have referred to as the “Ectoplasm Factor.” However, the researchers have decided not to disclose these marks to ensure their ability to track the malware in the future.
The researchers have identified more than five victims, including an NGO worker, politicians, and journalists, whose iPhones were hacked in Europe, North America, the Middle East, and Southeast Asia. However, the researchers have decided not to disclose the victims’ names, as they do not want to jeopardize their safety.
The fact that the victims are in different countries also makes it harder for them to come forward, according to a senior researcher at Citizen Lab.
Although QuaDream has managed to stay under the radar, Israeli newspaper Haaretz reported in 2021 that it sold its wares to Saudi Arabia. A year later, Reuters reported that QuaDream sold an exploit to hack iPhones, which is comparable to the one provided by NSO Group.
It’s important to note that QuaDream does not run the spyware itself, but rather its government customers operate it, which is a common practice in the surveillance technology sector.
According to internet scans conducted by Citizen Lab, QuaDream’s customers operated servers in several countries worldwide, including the following:
Israel
Ghana
Mexico
Bulgaria
Romania
Hungary
Singapore
Uzbekistan
Czech Republic
United Arab Emirates (UAE)
In a blog post, Microsoft labelled QuaDream as an Israel-based private sector offensive actor (PSOA) who sells REIGN, a suite of exploits to governments. This suite includes malware and infrastructure developed to exfiltrate data from targeted smartphones.
The exploit utilized by QuaDream was created for iOS 14 and was a zero-day vulnerability, meaning it was not yet fixed or known by Apple at the time. Government hackers equipped with QuaDream’s exploit used malicious calendar invites with dates in the past to deliver the malware, which did not trigger a notification on the phone, making them invisible to the target.
QuaDream uses a Cyprus-based company called InReach to sell its products, according to Citizen Lab researchers, and this has been confirmed by a person who has worked in the spyware industry.
The discovery of QuaDream’s malware highlights once again that the spyware industry is not only made up of NSO Group but there are several other companies, most of which are still flying under the radar.
If you find yourself drenched in the Google ecosystem, then you will find the new Cross-Device service app useful. This feature is rolling out, and it helps with cross-collaboration between Android devices and Chromebooks. Google made mention of this feature during the CES 2023 event that took place in January, and it is now available.
With this feature, Chromebook users can easily access the apps on their Android device directly from the laptop screen. So there will be no need to reach out to your smartphone while working or studying whenever you need to make use of an app. You simply pull up the app from your Chromebook and perform whatever actions without touching your smartphone.
This feature joins the long list of other cross-collaboration features that exist between Chromebooks and Android devices. If you make use of a Chromebook and an Android device, you will find this feature intriguing. It might also interest you to know that you can easily activate the Google Cross-Device service app for usage between your devices (Android and ChromeOS).
A quick glimpse of what to expect from app streaming as shown by the Google Cross-Device service app
Google is yet to widely roll out this app streaming to Chromebook feature to most Android devices. But some ChromeOS users that have Pixel devices are getting a glimpse of what this feature brings to the table. This is possible through the Cross-Device service app that comes with Google Pixel devices.
Users like Mishaal Rahman have already begun experimenting with this app streaming feature. The Android expert took to his Twitter account to share more information on this feature from his experience so far. Although the Google Cross-Device service app comes bundled with Pixel devices, it isn’t limited to them.
Other devices running Android 13 can access this feature via the Google Play Store. Once you have confirmed that you have this app on your Android device, head over to your Chromebook and open the Phone Hub. This is the little phone icon that sits on the right-hand side of the taskbar.
Ensure that your smartphone with the Cross-Device service app is connected to your Chromebook via the settings icon. If it is, you need to head over to your Android device and enable app streaming. To do this, open settings on your Android device and head over to ‘connected devices.’
Next, open connection preferences and select Chromebook, lastly enable the apps option on the list that pops up. By taking these steps, you will be able to stream your apps to your Chromebook. Any app you open on your Android smartphone will pop up on your Chromebook and you can easily open the app and use it.
All functions and permissions the app comes with will also be available on your Chromebook. This means that you will be able to use your Chromebook’s camera, microphone, speakers, and so on while streaming your Android device’s apps. At the moment, this feature is still rolling out to Chromebooks via a system update. So even if you can’t stream your apps after setting it up, don’t panic, a coming update to your Chromebook will bring this feature.
Okay, so how do you know if the feature is *actually* available for you?
– You must update Cross-Device Services to version 1.0.285.1 from Google Play first. The update is only available on Pixels and the select Android devices I mentioned earlier.
Apple has started to seed the second beta for iOS 16.5 and iPadOS 16.5 to developers. This comes roughly two weeks after the first beta launched. Which is quite common for Apple to do. With subsequent betas having less time in between them.
If you’re a registered developer, you can download iOS 16.5 and iPadOS 16.5 onto your available devices today. Just head over to Settings > General > Software Updates. And then tap on “Beta Updates” option. You’ll want to toggle on the iOS 16/iPadOS 16 Developer Beta option.
Keep in mind that starting with iOS 16.4 that launched last month, only registered developers can get access to the developer betas. So if you are not a registered developer, you’re going to need to sign up. It’ll cost you $99 per year.
What’s new in iOS 16.5?
iOS 16.5 is going to be a rather small update for iOS, especially with iOS 17 being announced in June at WWDC. But there are a few new things coming in iOS 16.5. That includes a new Sports tab within the Apple News app. This will make it easier for users to access sports-focused content. You will be able to choose to follow your favorite teams. So you can get updates on those on a regular basis.
The update to iOS 16.5 also brings in a new Siri option for starting a screen recording with a voice command. And that’s about it, for what’s new in iOS 16.5.
It’s possible that Apple could release some other changes in this second beta, but don’t expect this to be a very large update at all. It’ll likely be mostly a bug fixing update, much like iOS 17 is expected to be. So when could Apple launch iOS 16.5? It’ll likely be in May, possibly around the second or third week of the month. As long as there are no huge bugs that pop up in these betas.
The amount of time we spend on our phones has only continued to increase with each year, which has not gone unnoticed by the manufacturers making them. That is why most phones now have some kind of feature or app that helps users keep track of the hours they spend on their daily drivers and regulate it.OnePlus added its own solution to this issue by launching the Zen Mode app with the OnePlus 7 Pro back in 2019 (one of the best Android phones for its time). Since then, the application is used by many of the company’s fans, and it has now received a significant upgrade, alongside a slight rebranding, as noticed by a member of the OnePlus forum nicknamed Some_Random_Username. (via AndroidAuthority)The app has now changed from Zen Mode to Zen Space, and its icon has been refreshed. The changes are not only visual, though, as OnePlus has added new features and expanded old ones, making the app a more useful tool for those who love using it.
OnePlus Zen Mode/Zen Space app improvements
The app now gives users two options when choosing to go “Zen”. Deep Zen mode is used when you want to completely detach yourself from using your OnePlus phone, blocking all functionality besides taking photos and making/taking emergency calls.
Light Zen mode, on the other hand, is less strict with its restrictions. It allows you to pick apps that would not be affected while you are taking a break. Additionally, unlike Deep Zen mode, Light Zen mode gives you the option to exit it completely, and use the phone as you would usually.
There are two presets that come with Light Zen mode — Work and Study. Both make use of the Work Life Balance feature and pick the apps that would make sense to be included. Of course, you can edit that list of apps if you want to add or remove any.
The Zen Space app comes with a redesigned look in the form of new themes, and you can now also track your Zen session via the Always-On Display, where the app will give you reminders and some at-a-glance information about your progress.
On top of everything else, OnePlus has added more time durations, new achievement medals, and a dashboard to check your weekly statistics.
If found guilty, the accused, Andrey Shevlyakov, could be sentenced to up to 20 years in prison.
An individual named Andrey Shevlyakov, who holds Estonian citizenship, has been taken into custody on March 28th, 2023, in Estonia, accused of conspiracy and other offences related to his efforts to obtain U.S.-made electronics for the Russian government and military.
Shevlyakov had been on the Department of Commerce’s Entity List since 2012, which designates individuals and companies barred from exporting items from the United States without a license.
Despite being on the list, Shevlyakov was able to run an intricate logistics operation involving frequent smuggling trips across the Russian border using front companies and false names to evade restrictions.
Shevlyakov obtained delicate electronic equipment from American manufacturers for the use of Russian end-users, such as defence contractors and other government agencies. If these items were ordered directly for delivery to Russia, they would have been inaccessible to Russian end-users.
The items that Shevlyakov purchased included low-noise pre-scalers and synthesizers used to conduct high-frequency communications and analogue-to-digital converters found in most defence systems that must respond to environmental conditions, including software-defined radio, avionics, missiles, and electronic warfare systems.
During his communications with customers based in Russia, he discussed whether certain orders contained “military” goods. In addition, he tried to obtain computer hacking tools, such as a licensed version of Metasploit Pro, which is an American-made software tool used to penetrate computer networks. Although Metasploit is primarily designed to assess network vulnerabilities, it is also commonly used by hackers.
According to the Department of Justice’s (DOJ) press release, the accusations made in the indictment and other legal documents, Shevlyakov’s intricate and deceptive methods enabled him to obtain highly sensitive electronics made in America for the Russian military. His unlawful actions in obtaining advanced U.S. technology endangered the lives of both U.S. and Ukrainian citizens.
FBI Houston Special Agent in Charge James Smith said, “FBI Houston will continue to work with our valued international partners, especially the Estonian Internal Security Service (KAPO), to investigate and disrupt actors who illicitly support the unprovoked invasion of Ukraine by Russian armed forces.”
If found guilty, the accused could be sentenced to up to 20 years in prison. The National Security and Cybercrime Section of the Office is overseeing the government’s case against the defendant.
Sophos has released a new security advisory that has fixed 3 of its significant vulnerabilities, allowing threat actors to execute arbitrary code injection on Sophos Web Appliance (SWA).
CVE(s):
CVE-2023-1671 – Pre-Auth Command Injection in Sophos Web Appliance
This vulnerability exists on the warn-proceed handler, allowing threat actors to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
CVE-2022-4934 – Post-Auth Command Injection in Sophos Web Appliance
This vulnerability exists on the exception wizard handler, allowing administrators to execute arbitrary code. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
CVE-2020-36692 – Reflected XSS via POST method in Sophos Web Appliance
This vulnerability exists on the report scheduler, allowing threat actors to execute Javascript code on the victim’s browser. To exploit this vulnerability, a threat actor must trick a victim into submitting a malicious form on any compromised website.
In contrast, the victim is logged on to Sophos Web Appliance. An external security researcher reported it through the Sophos Bug Bounty Program.
Vulnerable Products:
Sophos Web Appliance 4.3.10.4 and older versions
Recommendations:
Sophos has released patches to fix these vulnerabilities, which no longer need customer interaction since they are automatically updated.
Sophos has also requested to keep Sophos Web Appliance protected from exposing to the internet
Release Notes:
Work Order
Description
NSWA-1689
Resolved an XSS vulnerability in the report scheduler (CVE-2020-36692).
NSWA-1756
Resolved a vulnerability in the exception wizard (CVE-2022-4934).
NSWA-1763
Resolved a vulnerability in the warning page handler (CVE-2023-1671).
While it was announced a few months ago that the NFL Sunday Ticket would have a new home, this fall. We didn’t know the pricing, nor when it would be available to sign up for. And well, we know today how much. it’ll cost.
For those on the YouTube TV base package, it’ll cost you $249 for the season. You can also get it bundled with NFL RedZone for $289 for the season during the presale.
The presale period is ongoing from now until June 6. Once the presale period is over, the NFL Sunday Ticket will jump in price by $100, to $349 for the season.
How does that compare with DIRECTV? Well, when DIRECTV offered NFL Sunday Ticket, it was $293.94 for the seasons, or $395.94 for the season with the Max package that offers extra content. So it is going up in price, but not by as much as many had though – as long as you have YouTube TV.
Remember that YouTube touted that you don’t need to subscribe to YouTube TV to get NFL Sunday Ticket. So how much is it without YouTube TV? Well, during the presale period, it’ll be $349 for the season. Afterwards, it’ll jump to $449 for the season.
Why is NFL Sunday Ticket so pricey?
Many may be wondering why the NFL Sunday Ticket package is so expensive? Well, to put it simply, it has to be. That’s because the NFL already has deals with CBS and FOX for airing local games, and since the NFL Sunday Ticket airs in-market and out-of-market games, it has to be more expensive to air those in-market games. So it has always been rather expensive.
YouTube is also likely looking to recoup some of the money that it paid the NFL for the package. It’s reported that Google is paying the NFL around $2 billion per year for the NFL Sunday Ticket.
The company has also debuted a new multiview feature, that lets users watch multiple games at the same time. It debuted during March Madness and should be part of the NFL Sunday Ticket package.
A new ALPHV (aka BlackCat Ransomware) has been found and tracked under the ID UNC4466. This ransomware affiliate uses Veritas Backup Exec Installations, which are vulnerable to CVE-2021-27876, CVE-2021-27877, and CVE-2021-2787878. However, these CVEs are used for the initial access only.
A commercial internet scanning tool found a massive 8500 installations of Veritas Backup Exec installations. The count of unpatched versions might still be a significant number.
The ALPHV intrusions were usually from stolen credentials in the past but originated from targeting known vulnerabilities, which states that criminals have emerged.
BLACKMATTER and DARKSIDE ransomware are the predecessors of ALPHV ransomware, released in November 2021 as ransomware-as-a-service. Some ransomware is designed to avoid critical infrastructure, but ALPHV is still in the wild targeting sensitive industries.
Veritas Backup Exec (BE) Agent contains a file access vulnerability that could allow an attacker to specially craft input parameters on a data management protocol command to access files on the BE Agent machine.
Veritas Backup Exec (BE) Agent contains an improper authentication vulnerability that could allow an attacker unauthorized access to the BE Agent via SHA authentication scheme.
Veritas Backup Exec (BE) Agent contains a command execution vulnerability that could allow an attacker to use a data management protocol command to execute a command on the BE Agent machine.
Apply updates per vendor instructions.
2023-04-28
Source : CISA
Timeline
March 2021 – Veritas published advisories for Veritas Backup Exec 16. x, 20. x and 21.x
September 23, 2022 – Metasploit releases module to exploit Veritas Backup Exec versions.
October 22, 2022 – Veritas Vulnerabilities are being exploited, which is observed by Mandiant.
Attack Phases of ALPHV
Initial Compromise and Establish Foothold
UNC4466 used the Metasploit module exploit/multi/veritas/beagent_sha_auth_rce to exploit internet-facing Windows servers with Veritas Backup Exec running. The Metasploit persistence module was used for maintaining permanent access to the systems as part of the remaining intrusion.
Internal Reconnaissance
Once the UNC4466 accessed the Veritas Backup Exec server, they used internet explorer to download Famatech’s Advanced IP scanner from the website. This tool could scan both individual and range of IP addresses, ports, hostnames, and system hardware information.
The UNC4466 also did an Active Directory Recon using the ADRecon to gather network, host, and account information of the victim’s environment.
With a privileged domain account, ADRecon will generate several reports about the AD environment, Trusts, sites, subnets, password policies, and computer and user account listings.
Another advantage is that these reports can be downloaded in the required formats like CSV, XML, JSON, and HTML.
Ingress Tool Transfer
Once they gained privileged access, they transferred additional tools like LAZAGNE, LIGOLO, WINSW, RCLONE, and the ALPHV ransomware encryptor.
C&C (Command and Control)
For achieving communication between these systems, the UNC4466 used SOCK5 tunneling with the victim network. Tools like LIGOLO and REVSOCKS are deployed for evasion, evading all the network defenses or other intrusion prevention systems.
They used BITS Transfer to download several resources to the staging directory “C:\ProgramData,” supported by SOCK5 tunneling, REVSOCKS, and LIGOLO.
Escalate Privileges
For dumping the credentials, the threat actor used tools like Mimikatz, LaZagne, and Nanodump to gather the credentials in clear text.
As per reports, In November 2022, UNC4466 used MIMIKATZ Security Support Provider Injection Module (MISC::MemSSP), which manipulates the Local Security Authority Server Service (LSASS) and collects credentials in clear-text and stores it in a file named “C:\Windows\System32\mimilsa.log”.
Source: MandiantSource: Mandiant
Complete Mission
ALPHV is a rust programming-based ransomware that UNC4466 deploys. The group also changed the default domain policy, which performs malicious actions like disabling security software, downloading the ALPHV encryptor, and executing.
Exposure
As stated, a commercial internet scanning tool found nearly 8500 IP addresses running Veritas Backup Exec service (Symantec/Veritas Backup Exec ndmp) on ports 10000, 9000, and 10001.
However, systems running vulnerable versions were not identified on this scan; threat actors could potentially exploit this.
Detection
For systems running with Veritas Backup Exec versions before 21.2, every system facing the internet should be highly prioritized.
Exploited systems can see the particular logs on the Backup Exec log file. For detection and alerting of these events, it is recommended to forward the file to the SIEM and create an alert for specific events.
[nnnn] YYYY-mm-ddTHH:MM:SS.sss [ndmp\ndmpcomm] – ndmpRun: Control connection accepted : connection established between end-points [Server IP]:10000 and [Remote IP]:[remote port]
For further information on this report, Mandiant has provided a complete analysis of the MITRE Framework and other technical details.
Samsung‘s 2023 flagship tablets may bring a handful of notable upgrades over the 2022 models. Among them could be an AMOLED display for the base model. According to Ross Young, the CEO of Display Supply Chain Consultants (DSCC), the 11-inch Galaxy Tab S9 will get an AMOLED panel this year. Last year’s base model arrived with a TFT LCD screen.
The Korean firm has equipped its flagship tablets with AMOLED displays since the first-gen Galaxy Tab S in 2014. Over time, it expanded the series to launch multiple models of varying sizes. But they differ in more areas and not just size. Most notably, the past two generations (Tab S7 and Tab S8) of Galaxy tablets included a base model with an LCD screen. The bigger models (Plus and Ultra) came with an AMOLED display.
It appears Samsung no longer plans to continue this disparity. The latest rumor in the industry is that the entire Galaxy Tab S9 lineup will feature AMOLED displays, including the smallest model. AMOLED displays consume less power and offer better contrast and colors than LCD panels. As said earlier, the base model will feature an 11-inch display. The Galaxy Tab S9+ should feature a 12.4-inch display, while the Galaxy Tab S9 Ultra should get a 14.6-inch AMOLED panel. All three models will support the S Pen and should boast a 120HZ refresh rate.
This display upgrade for the base Galaxy Tab S9 may be just one of many upgrades Samsung has planned for its next-gen flagship Android tablets. Most notably, we are expecting the lineup to boast an official IP rating for dust and water resistance. All three models are said to arrive with an IP67 rating. It would be a first for the Galaxy Tab S series. Samsung’s rugged Active series tablets do offer protection against dust, water, and drops, but those aren’t geared toward the masses.
Samsung may launch two Galaxy Tab S9 FE models as well
Samsung may launch a total of five Galaxy Tab S9 models this year. Along with the three aforementioned flagships, we may get a couple of FE (Fan Edition) models with modest specs. These tablets recently appeared in benchmark listings with mid-range processors. While there aren’t any rumors so far, the two Galaxy Tab S9 FE devices will probably keep an LCD screen. We should find out soon as Samsung continues the development of the new tablets. The Galaxy Tab S9 series is expected to arrive in the second half of this year.
The first store, called Apple BKC, will be located in Mumbai’s business district, Bandra Kurla Complex, and will open to the public on April 18th. Apple made an official announcement about this store earlier in April and now confirmed that it will inaugurate the store on April 18, 2023.
Just two days later, on April 20th, Apple will open its second store in India, named Apple Saket, located in Delhi’s Select City Walk Mall. The store will offer the latest Apple products, support services, and Today at Apple sessions. Apple says the Saket store logo draws inspiration from “Delhi’s many gates, each signifying a new chapter to the city’s storied past.”
The Apple BKC store in India will be a flagship Apple outlet spanning across 22,000 square feet with a flagship architecture. The company has reportedly even demanded 22 rival brands to stay away from the nearby location of the Apple BKC store. The store in Delhi, however, will be a smaller store and not a flagship retail outlet.
India has become a crucial market for Apple, with the country poised to contribute significantly to the company’s revenue in the near future. To strengthen its presence in India, Apple suppliers have even opened several assembly plants, with plans for more in the pipeline.
Reports suggest that Apple CEO Tim Cook may attend the opening of the company’s BKC retail store in India, indicating the tech giant’s commitment to the Indian market. However, at this moment, it is unknown if Cook will be present at the Delhi store opening.
