Apple sent a new round of spyware notifications to affected users

Metacurity is a reader-supported publication that requires significant work and non-trivial expenses. We rely on the generous support of our paid readers. Please consider upgrading your subscription to support Metacurity's ongoing work. Thank you.

If you're unable to commit to a subscription today, please consider donating whatever you can. Thank you!

France’s national cybersecurity response unit said that that it was aware that Apple on September 3 sent a new notification to affected customers whose Apple devices may have been hacked in new spyware attacks.

The cybersecurity unit said receiving a threat notification means that at least one of the devices linked to a customer’s iCloud account “has been targeted and would be potentially compromised.”

It’s unclear how many individuals, including in France, received the September 3 threat notification, which spyware was used, or when the intrusions began. (Zack Whittaker / TechCrunch)

Related: CERT.SSI.gouv.fr, Security Affairs, 9to5Mac, Security Affairs, CyberInsider, Cyber Security News, Boing Boing, Digital Information World, NDTV Gadgets360.com, Infosecurity Magazine

The Akira ransomware gang is actively exploiting CVE-2024-40766, a year-old critical-severity access control vulnerability, to gain unauthorized access to SonicWall devices.

The hackers are leveraging the security issue to gain access to target networks via unpatched SonicWall SSL VPN endpoints.

SonicWall released a patch for CVE-2024-40766 last year in August, marking it as actively exploited. The flaw allows unauthorized resource access and can cause firewall crashes.

At the time, SonicWall strongly recommended that applying the update should be accompanied by a password reset for users with locally managed SSLVPN accounts.

Without rotating the passwords after the update, threat actors could use exposed credentials for valid accounts to configure the multi-factor authentication (MFA) or time-based one-time password (TOTP) system and gain access.

An alert from the Australian Cyber Security Center (ACSC) yesterday warns organizations of the new malicious activity, urging immediate action.

“ASD’s ACSC is aware of a recent increase in active exploitation in Australia of a 2024 critical vulnerability in SonicWall SSL VPNs (CVE-2024-40766),” reads the advisory.

“We are aware of the Akira ransomware targeting vulnerable Australian organizations through SonicWall SSL VPNs,” says the Australian Cyber Security Centre.

Cybersecurity firm Rapid7 has made similar observations, reporting that Akira ransomware attacks on SonicWall devices have recently re-ignited, likely tied to incomplete remediation. (Bill Toulas / Bleeping Computer)

Related: TechRadar, Rapid7, SC Media, Security Week, BitSight, CRN, Cyber Express, Undercode News, Cyber Daily, WebProNews, CSO Online, Cyber.gov.au

The government of Vietnam said a cyberattack on the National Credit Information Center could have led to a major breach of personal data and warned the public to be on alert as it investigates the scale of the threat.

The national cyberresponse team is taking emergency measures to deal with the incident, the government said on its website. Authorities are working with the central bank and other agencies to contain the breach and secure the systems of the credit center, known as CIC.

A hacker group known as ShinyHunters is likely behind the attack, CIC told financial institutions, including foreign and domestic banks. The group had said on an online forum that it had obtained national credit information and offered it for sale, according to the letter. (Nguyen Dieu Tu Uyen and Francesca Stevens / Bloomberg)

Related: Socialist Republic of Vietnam, Viet Nam News, Reuters, The Investor, Cryptorank, The Business Times

The UK's Information Commissioner's Office (ICO) issued a warning about what it calls the "worrying trend" of students hacking their own school and college IT systems for fun or as part of dares.

It has told teachers that they are failing to understand and recognise what it calls the "insider threat" pupils pose.

It says that the majority of so-called "insider" cyber attacks and data breaches in education settings originate with students.

"What starts out as a dare, a challenge, a bit of fun in a school setting can ultimately lead to children taking part in damaging attacks on organisations or critical infrastructure," said Heather Toomey, Principal Cyber Specialist at the ICO.

It comes amid a spate of high-profile cyber-attacks, affecting firms including M&S and Jaguar Land Rover, in which teenage hackers have been implicated. (Joe Tidy / BBC News)

Related: IT Pro, The Register, Infosecurity Magazine, EdTech Innovation Hub

Germany and Luxembourg joined the opposition to a new EU regulation that could have forced technology firms to scan encrypted messages in a bid to tackle child abuse material, reviving a debate that cuts to the heart of online privacy and security.

Law enforcement officials and national representatives met in Brussels today, Friday, 12th September, to discuss the latest draft of the so-called Chat Control regulation.

Denmark, which currently holds the rotating presidency of the EU Council, is pushing to bring the proposal to a vote by 14th October, despite fierce resistance from cryptographers, privacy advocates, and some member states.

The current push comes after previous attempts by the EU Council to advance controversial online child protection legislation have faced serious opposition and delays.

The legislation would mandate that technology companies deploy scanning technologies on devices to examine messages, images, and videos before encryption takes place. Artificial intelligence and machine learning systems would also be used to detect previously unknown abuse material. (Franklin Okeke / Computing and Chiara Castro / TechRadar)

Related: Tuta, Euractiv, Cointelegraph, Computer Weekly

After warning 9to5Mac last month about undetectable Mac malware hidden in a fake PDF converter site, Mosyle, a leader in Apple device management and security, has now uncovered a new infostealer dubbed ModStealer that has remained invisible to all major antivirus engines since first appearing on VirusTotal nearly a month ago.

Mosyle says ModStealer doesn’t just target macOS systems, but is cross-platform and purpose-built for one thing: stealing data.

According to Mosyle’s analysis, ModStealer is being delivered to victims through malicious job recruiter ads targeting developers. It uses a heavily obfuscated JavaScript file written with NodeJS that remains completely undetectable by signature-based defenses. And this one isn’t just targeting Mac users either; Windows and Linux environments are also at risk.

The malware’s main goal is data exfiltration, with a particular focus on cryptocurrency wallets, credential files, configuration details, and certificates. Mosyle found pre-loaded code targeting 56 different browser wallet extensions, including Safari, designed to extract private keys and sensitive account info.

The firm’s researchers also discovered that ModStealer is capable of clipboard capture, screen capture, and remote code execution. The first two are bad, but the latter can give attackers nearly complete control over infected devices.

Mosyle believes the ModStealer fits the profile of Malware-as-a-Service (MaaS). (Arin Waichulis / 9to5Mac)

Related: Bitget, Cryptopolitan, Decrypt, CoinDesk, Dataconomy, Cryptonews, Cointelegraph

Israel's National Cyber Directorate said dozens of Israeli actors were targeted in a phishing attack believed to have originated from Iran.

The Directorate said attackers hacked into an email account and posed as organizers of auditions for a new film by a well-known director. The emails asked for audition videos and personal details, including scans of ID cards, passports, and home addresses.

According to the statement, dozens of actors provided the material and later received threatening messages attributing the operation to groups linked to Iran, in what officials described as an attempt to apply psychological pressure.

Israeli media, including Ynet, reported that one phishing email presented itself as an audition request for a project by filmmaker Ari Folman about the Oct. 7 Hamas attack on Israel. It asked applicants to record a personal video and submit supporting documents. (Iran International)

Related: Intellinews, Ynet News

On September 8, the Telegram channel “scattered LAPSUS$ hunters 4.0” declared its intention to “go dark” after taunting law enforcement for repeated missteps.

With an audacious message aimed squarely at the FBI and French authorities, the group claimed victory in evading capture and vowed that no future activity would follow their signature trail of high-profile data breaches.

What seemed like a temporary hiatus has now been confirmed as a permanent retirement from blackhat operations.

The September 8 post lambasted the FBI and French law enforcement for once again detaining an innocent individual, accusing investigators of “wasting budget” by flying agents across the Atlantic only to make “the WRONG arrest.” The hunters boasted that their real operators remain at large and fully aware of law enforcement tactics, promising uninterrupted efficiency regardless of arrests.

In a follow-up message, the channel tersely announced: “This channel is now closed and we’re going away for a while. Thanks.” What the initial announcement characterized as a pause proved deceptive.

Then, on September 11, a communique appeared on BreachForums[.]hn, timed just after DataBreaches’ report on the Salesforce attacks against high-end fashion brands.

Under the heading “Dear World,” the hunters offered an apology for the ambiguity of their earlier silence and explained that 72 hours had allowed them to confirm the viability of contingency plans and to consult with family.

They recounted weeks of complex diversions—from disrupting Jaguar’s factories to “superficially” hacking Google multiple times and overwhelming defenses at Salesforce and CrowdStrike—designed to mislead security firms and government agencies alike.

Crucially, the post hinted at unpublicized breaches of critical infrastructure and high-security government systems, suggesting that victims may yet face undisclosed ransom demands or data exfiltration consequences.

The group claimed to have deliberately abandoned certain tools and communication channels, leaving law enforcement and corporate security teams questioning whether their systems had been fully compromised or left untouched.

“Silence will now be our strength,” the post proclaimed, marking an end to any further direct correspondence from the hunters. (Mayura Kathir / gbhackers)

Related: Cyber Daily, DataBreaches.net, Breach Forums

The California legislature passed a bill that requires internet browsers to feature a setting that allows consumers to send a signal indicating they want to opt out of having their personal data shared with third parties.

The California Consumer Privacy Act gives consumers there the right to send opt-out preference signals, but major browsers have to date failed to offer the functionality needed for them to do so.

The bill now heads to Gov. Gavin Newsom’s desk for a signature. Newsom vetoed an earlier version of the bill which would also have applied to mobile operating systems last year.

If Newsom signs the bill, browser companies will be forced to allow consumers to turn on an opt-out preference signal, which would automatically send an opt-out request to every website they visit. (Suzanne Smalley / The Record)

Related: Legiscan, Consumers Union

Cook County Public Health in Illinois says it has experienced a data breach that may have exposed patients' private information.

People who receive county services may be impacted, and those who are will receive a letter in the mail from Cook County. If you do not receive a letter in the mail, your information was not affected, and no action is needed. (WDIO)

Related: Cook County Public Health

The municipality of The Hague is warning of fake QR codes on parking meters that take victims to a website where they’re asked for bank details.

The municipality itself does not offer QR codes as a parking payment method. Payment can only be made at the parking meter with your debit card, by inserting the card into the machine, or using contactless payment. Parking can also be paid for through an authorized parking provider app.

This fraud has previously also appeared in other cities, such as Amsterdam, Rotterdam, Maastricht and Sittard-Geleen. (The Hague Online)

Related: Den Haag

Seattle-based security and application delivery giant F5 will pay $180 million to acquire CalypsoAI, a startup founded in 2018 that helps companies secure their generative AI infrastructure.

The deal is financed primarily with cash and is expected to close this month. (Taylor Soper / GeekWire)

Related:  Irish Independent, Silicon Republic, F5, Inc., Help Net Security, CRN, Silicon Republic, Business Wire Technology: Security News, Cyberscoop, Network World Security

Best Thing of the Day: It's OK to Surveil Threat Actors

Cybersecurity firm Huntress defended itself against industry criticism that it monitored the activities of an adversary, saying it has an obligation to research and respond to security threats, investigate malware, and educate the broader community about those threats.

Worst Thing of the Day: Switzerland Is No Longer Neutral on Privacy

Switzerland will soon require service providers with more than 5,000 users to collect government-issued identification, retain subscriber data for six months, and, in many cases, disable encryption.

Bonus Worst Thing of the Day: We Weren't Born Yesterday

A top official at the Cybersecurity and Infrastructure Security Agency rejected concerns that personnel and program cuts at CISA have hindered its work.

DataBreaches report