According to Citizen Lab, a zero-click exploit chain known as BLASTPASS was used to actively exploit two zero-days that Apple fixed today in emergency security updates to install commercial spyware from NSO Group on fully patched iPhones.

The two bugs, followed as CVE-2023-41064 and CVE-2023-41061, permitted the assailants to taint a completely fixed iPhone running iOS 16.6 and having a place with a Washington DC-based common society association by means of PassKit connections containing malignant pictures.

“The exploit chain is referred to as BLASTPASS by us. Citizen Lab stated, “The exploit chain was capable of compromising iPhones running the most recent version of iOS (16.6) without the victim’s interaction.”

“The adventure included PassKit connections containing malevolent pictures sent from an assailant iMessage record to the person in question.”

Resident Lab likewise asked Apple clients to refresh their gadgets right away and empowered those in danger of designated assaults because of their character or calling to actuate Lockdown Mode.

The two zero-days were discovered in the Image I/O and Wallet frameworks by security researchers from Citizen Lab and Apple. CVE-2023-41064 is a buffer overflow that occurs when maliciously crafted images are processed, and CVE-2023-41061 is a validation issue that can be exploited by malicious attachments.

Both enable unauthorized code execution on unpatched iPhone and iPad devices by threat actors.

With improved logic and memory handling, Apple fixed flaws in macOS Ventura 13.5.2, iOS 16.6.1, iPadOS 16.6.1, and watchOS 9.6.2.

The following devices are on the affected list:

Apple has fixed a total of 13 zero-days exploited to target devices running iOS, macOS, iPadOS, and watchOS since the beginning of the year, including: iPhone 8 and later iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later

two zero-days in July (CVE-2023-37450 and CVE-2023-38606),

three zero-days in June (CVE-2023-32434, CVE-2023-32435, and CVE-2023-32439),

four zero-days in May (CVE-2023-32409, CVE-2023-28204, and CVE-2023-32373),

and another WebKit zero-day in February (CVE-2023-23529).

To address the fourth Chrome zero-day vulnerability exploited in attacks since the beginning of the year, Google issued emergency security updates.

In a security advisory that was released on Monday, Google disclosed that the company was aware of the existence of an exploit for CVE-2023-4863.

Users in the Stable and Extended stable channels are currently receiving the new version, and it is anticipated that the entire user base will receive it in the coming days or weeks.
Chrome users are urged to upgrade their browsers as soon as possible to version 116.0.5845.187 (Mac and Linux) or 116.0.5845.187/.188 (Windows), which addresses the CVE-2023-4863 flaw in Windows, Mac, and Linux systems.

This update was quickly accessible when BleepingComputer checked for new updates through the Chrome menu > Help > About Google Chrome.

After a restart, the web browser will also check for new updates and install them without user intervention.
Assault subtleties not yet accessible
The basic zero-day weakness (CVE-2023-4863) is brought about by a WebP pile cushion flood shortcoming whose effect goes from collides with inconsistent code execution.

The bug was accounted for by Apple Security Designing and Engineering (Burn) and The Resident Lab at The College of Toronto’s Munk School last Wednesday, September 6.

Resident Lab security scientists have frequently found and revealed zero-day bugs manhandled in profoundly designated spyware assaults by government-supported danger entertainers focusing on high-risk people like resistance lawmakers, writers, and protesters around the world.

On Thursday, Apple fixed two zero-days labeled by Resident Lab as being taken advantage of in assaults as a feature of an endeavor fasten known as BLASTPASS to taint completely fixed iPhones with NSO Gathering’s Pegasus hired soldier spyware.
Although Google stated that the CVE-2023-4863 zero-day vulnerability has been exploited in the wild, the company has yet to provide any additional information regarding these attacks.

“Admittance to mess with subtleties and connections might be kept limited until a larger part of clients are refreshed with a fix,” Google said. ” If the bug is in a third-party library that other projects similarly rely on but have not yet fixed, we will also maintain restrictions.

This means Chrome users can update their browsers to stop attacks before more technical details are released. This could make it easier for more threat actors to make their own exploits and use them in the real world.

On Twitter and GitHub, cybercriminals are publishing fictitious proof-of-concept exploits for zero-day vulnerabilities that allow malware to infect Linux and Windows.

The GitHub repositories, which are likely aimed at cybersecurity researchers and firms involved in vulnerability research, are promoted on Twitter by alleged researchers at a fictitious cybersecurity company called “High Sierra Cyber Security.”

The users who maintain the repositories impersonate real security researchers from Rapid7 and other security firms, even using their headshots, making them appear to be legitimate.
The same personas have Twitter accounts to draw victims away from the social media platform and lend credibility to their research and code repositories like GitHub.

VulnCheck found this campaign, which promoted alleged exploits for zero-day flaws in popular software like Chrome, Discord, Signal, WhatsApp, and Microsoft Exchange. The campaign has been going on since at least May 2023, according to VulnCheck.
A Python script called “poc.py” that acts as a malware downloader for Linux and Windows systems is always present in the malicious repositories.

Depending on the victim’s operating system, the script downloads a ZIP archive to their computer from an external URL, with Linux users receiving “cveslinux.zip” and Windows users receiving “cveswindows.zip.”

After being extracted, the malware is executed in the Linux /home/username>/.local/share or Windows %Temp% folders.
VulnCheck reports that the Windows twofold contained in the ZIP (‘cves_windows.exe’) is hailed by more than 60% of AV motors on VirusTotal. Only three scanners were able to catch the Linux binary, “cves_linux,” which operates much more subtly.

It is unclear what kind of malware is installed, but both executables install a TOR client, and some detections indicate that the Windows version is a trojan that steals passwords.

VulnCheck notes that the threat actors appear persistent and create new accounts and repositories when the existing ones are reported and removed, despite the fact that the campaign’s success is unknown.

At the time of writing, these seven GitHub repositories are available and should be avoided:

Additionally, these Twitter accounts belong to impersonators and should not be trusted:
github.com/AKuzmanHSCS/Microsoft-Exchange-RCE github.com/MHadzicHSCS/Chrome-0-day github.com/GSandersonHSCS/discord-0-day-fix github.com/BAdithyaHSCS/Exchange-0-Day github.com/RShahHSCS/Discord

Twitter:
@AKuzmanHSCS
@DLandonHSCS
@GSandersonHSCS
@MHadzicHSCS Security researchers and enthusiasts must exercise caution when downloading scripts from unknown repositories because impersonation is always possible.

A similar campaign was carried out in January 2021 by the North Korean state-sponsored hacking group Lazarus. They created fake personas for vulnerability researchers on social media and targeted researchers with zero-days and malware.

Soon thereafter, they designated analysts with trojanized renditions of the IDA Ace picking apart programming to introduce remote access trojans.

Academics recently discovered thousands of fake proof-of-concept (PoC) exploits for various vulnerabilities in GitHub repositories. Some of these exploits infect users with malware, malicious PowerShell, obfuscated info-stealer downloaders, Cobalt Strike droppers, and other malware.

Threat actors can gain access to vulnerability research that they can use in their own attacks by targeting the cybersecurity and vulnerability research communities.

Even worse, the malware may, in many instances, grant initial access to the network of a cybersecurity company, facilitating additional data theft and extortion attacks.

This kind of access can be very useful to a threat actor because cybersecurity companies typically have clients who have sensitive information, such as vulnerability assessments, credentials for remote access, or even unidentified zero-day vulnerabilities.

As a result, every piece of code downloaded from GitHub must be examined for malicious behavior. In this instance, the PoCs clearly show that malware was downloaded and executed, but this may not always be the case when threat actors conceal malicious code.