Cybersecurity experts have revealed a novel method of maintaining unauthorised access to Apple devices running iOS 16. This technique exploits a perceived Airplane Mode, fooling users into believing their devices are offline. In reality, attackers manipulate the user interface to display the Airplane Mode icon while secretly preserving a cellular network connection for their rogue application.
Airplane Mode, designed to disable wireless capabilities, is at the core of this exploit. It seemingly disconnects devices from Wi-Fi, cellular data, Bluetooth, and communication services. This technique leverages Airplane Mode's features to create a façade of disconnection while secretly keeping cellular network access intact.
The method involves altering both the CommCenter daemon, responsible for backend changes, and the SpringBoard, managing user interface adjustments. CommCenter blocks cellular data access for chosen apps and simulates Airplane Mode, while SpringBoard creates a visual deception that mirrors genuine Airplane Mode activation.
To execute this deception, the CommCenter daemon is used to block cellular data access for specific apps. A hooked function modifies the daemon, creating a convincing alert window that mimics Airplane Mode. This process seamlessly deceives users into thinking their device is disconnected while enabling the malicious payload to maintain cellular connectivity.
The attack remains covert by utilising an SQL database within the CommCenter daemon. This database records cellular data access status for each application, using a specific flag to block access. Attackers leverage this database to selectively allow or restrict app access to Wi-Fi or cellular data, effectively concealing their backdoor trojan.
Apple responded to the discovery, stating that the exploit doesn't highlight a specific vulnerability in the OS. Rather, it demonstrates a method adversaries could employ to achieve post-compromise persistence on iOS 16 devices.
In summary, cybersecurity researchers have revealed a groundbreaking post-exploit technique that capitalises on the perception of Airplane Mode to maintain unauthorised access on iOS 16 devices. This intricate approach involves both backend manipulation and user interface deception, allowing malicious actors to remain undetected while sustaining cellular connectivity for their rogue applications.
Numerous critical security vulnerabilities have been identified within Ivanti Avalanche, an enterprise-level mobile device management solution employed by approximately 30,000 organisations.
These vulnerabilities, collectively categorised as CVE-2023-32560 (with a CVSS score of 9.8), involve stack-based buffer overflows found in Ivanti Avalanche WLAvanacheServer.exe version 6.4.0.0.
The cybersecurity firm Tenable has determined that these weaknesses stem from buffer overflows occurring during the processing of specific data types. Essentially, an unauthenticated remote attacker has the capability to exploit the system by inputting an extensive hexadecimal string or a lengthy type 9 item, causing a buffer overflow.
The successful exploitation of these vulnerabilities by a remote attacker could lead to the execution of arbitrary code or the crashing of the system.
These particular vulnerabilities, known as stack-based buffer overflows, manifest when the buffer being overwritten exists within the stack. This scenario can potentially manipulate the program's execution to run unauthorised code with elevated privileges.
In response to these issues, Ivanti has released Avalanche version 6.4.1 as a remedy. This updated version, made available in April 2023, not only addresses the aforementioned CVE-2023-32560, but also tackles six additional vulnerabilities (ranging from CVE-2023-32561 to CVE-2023-32566) that could be exploited to bypass authentication and execute remote code.
Given the recent active exploration of security vulnerabilities within Ivanti software, it is of utmost importance for users to swiftly apply these fixes to their systems. By doing so, they can effectively mitigate potential threats posed by these vulnerabilities.
In a concerning development, a freshly identified remote access trojan (RAT) named QwixxRAT has emerged, with its threat actor actively promoting its sale across Telegram and Discord platforms.
As described in a recent report by Uptycs, once QwixxRAT is implanted on Windows devices of unsuspecting victims, it discreetly gathers sensitive information. This pilfered data is then forwarded to the attacker's Telegram bot, granting unauthorised access to a treasure trove of personal information.
Uptycs, the cybersecurity company that uncovered this threat, emphasised that QwixxRAT has been meticulously crafted to stealthily acquire a range of valuable data. This encompasses web browsing histories, bookmarked sites, cookies, credit card details, keystrokes, screenshots, specific file types, and even data from applications such as Steam and Telegram.
This sinister tool is up for sale, with a weekly access subscription priced at 150 rubles and a lifetime licence offered for 500 rubles. Additionally, a limited free version of the RAT is available.
Built on a C# foundation, QwixxRAT is armed with multiple anti-analysis measures to remain concealed and avoid detection. These strategies include a "sleep" function to introduce delays in its execution process, as well as routines that ascertain whether the RAT is running within a sandbox or virtual environment.
Furthermore, the trojan boasts the capability to monitor certain processes, such as "taskmgr," "processhacker," "netstat," "netmon," "tcpview," and "wireshark." If it detects these processes, it ceases its own operations until the processes are terminated.
QwixxRAT also harbours a clipper feature, surreptitiously accessing data copied to the device's clipboard. This function aims to enable illicit transfers of funds from cryptocurrency wallets.
For command-and-control (C2) purposes, the trojan relies on a Telegram bot, through which the attacker can issue commands. These commands encompass additional data collection tasks, including audio and webcam recordings, and even the remote shutdown or restart of the compromised system.
This disclosure comes on the heels of Cyberint's revelation of two other RAT variants—RevolutionRAT and Venom Control RAT. These, too, are being advertised on various Telegram channels, offering data exfiltration and C2 connectivity features.
Recent discoveries have also shed light on an ongoing campaign. In this operation, compromised websites serve as launchpads to present fake Chrome web browser updates, enticing victims to install a remote administration software tool named NetSupport Manager RAT via a malicious JavaScript code.
Although the use of deceptive browser update tactics bears resemblance to SocGholish (also known as FakeUpdates), concrete evidence connecting these two activities remains elusive.
In light of these developments, Trellix, a security expert, commented on the situation. He pointed out that the exploitation of easily accessible RATs persists, owing to their potency in facilitating attacks and achieving attackers' objectives. While these RATs might not undergo constant updates, the methodologies to deliver their payloads to potential victims will continue to evolve.
*Subscribe to our newsletter
.svg)
.png)
.png)
