978-223-2959 horizon@saviorlabs.com

Stop – Critical iPhone and iPad Updates

Not to alarm you, but you need to stop whatever you are doing and update your iPhones and iPads.

This is a serious issue as it can compromise your device without you doing anything at all. Unless your device is turned off in a drawer behind a door marked beware of the leopard, it is not safe (extra points if you know what this reference is from).

For technical details, see About the security content of iOS 16.6.1 and iPadOS 16.6.1 – Apple Support and more details at Apple Patches Actively Exploited iOS, macOS Zero-Days – SecurityWeek.

Please subscribe to our private security notice feed on this page. These notices are specially designed for business users.

Please help us out by forwarding this along to anyone you care about.

Another Critical Apple Update

It seems like I keep repeating myself. It seems like I keep repeating myself. But here we go again… you need to stop whatever you are doing and update all your Apple products.

It used to be that Macs did not get viruses. Those days are gone. Sure, they are not viruses but actually much worse, errors in the operating system that allow for the complete takeover of your computer. Scary. Go forth and update young Jedi! Now, do, there is no try.

See Apple Ships Urgent iOS Patch for Newly Exploited Zero-Days – SecurityWeek

Apple Security Updates – Update Now (Again)

Here we go again!

Apple has released security updates to address vulnerabilities in multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected device.

CISA encourages users and administrators to review the following advisories and apply the necessary updates.

Apple Security Updates Needed NOW!

Apple has some serious updates. So much so that you should install the update now! This is for Apple iOS 16 compatible devices, iPhone 8 and newer (as below).

The table below shows the recent updates and how they apply.

Here is a link to the release notes: https://support.apple.com/en-us/HT213407#1612.

Apple’s iOS 16.3.1 security page discloses that the update contains just two security patches – but very serious ones.

Apple security updates

Name and information link Available for Release date
macOS Big Sur 11.7.4
This update has no published CVE entries.
macOS Big Sur 15 Feb 2023
Safari 16.3 macOS Big Sur and macOS Monterey 13 Feb 2023
iOS 16.3.1 and iPadOS 16.3.1 iPhone 8 and later, iPad Pro (all models), iPad Air 3rd generation and later, iPad 5th generation and later, and iPad mini 5th generation and later 13 Feb 2023
macOS 13.2.1 macOS Ventura 13 Feb 2023
tvOS 16.3.2 (details available soon) Apple TV 4K (all models) and Apple TV HD 13 Feb 2023
watchOS 9.3.1 (details available soon) Apple Watch Series 4 and later 13 Feb 2023

For a good report, read this: Apple iOS 16.3.1 Release: Should You Upgrade? (forbes.com)

Widespread takeover of Comcast Xfinity email accounts

Last week a number of Comcast customers logged into their Xfinity email accounts only to discover that they had been hacked. The source of these widespread attacks seems to be an exploit that allows an attacker to bypass Xfinity two-factor authentication (2FA) for Xfinity accounts.

Hackers appear to be using a privately circulated tool that bypasses the one-time-passcode (OTP) used in 2FA. Essentially, your account will not send the 2FA code to you. Instead, the hackers will get it, cutting you out of the loop.

First, the attackers compromise an Xfinity email account by using stolen passwords from the Dark Web. From there, they login with the stolen passwords and use the private 2FA bypass tool to get around phone verification.

After that, the password is reset, and any backup or secondary emails are changed to one the attacker controls.

Once they have access to the Xfinity email, hackers can use this email to attempt to password reset other services with the ‘Forgot my Password’ feature.

They’ve been observed using this method to compromise Drobox, Evernote and even cryptocurrency exchange accounts such as Coinbase and Gemini.

Comcast hasn’t released an official statement as of this correspondence, and its unknown how many accounts were compromised. If you have a Comcast email account, we recommend that you immediately update your password and check the recovery email and 2FA information you have on file. Reach out to Comcast Xfinity support if necessary.

It is also a good idea to review your other accounts and services for compromise.

A few important things to note in these attacks:

  • 2FA was not enough. The hackers bypassed it.
  • Those who regained access to their accounts did so because they noticed a change in 2FA by monitoring their email accounts.
  • The accounts were originally compromised via “credential stuffing” which uses Leaked Passwords found on the Dark Web

These are all common pain points for which our 3rd party security assessments identify.

 

If you have any questions or concerns, please do not hesitate to contact us.

LastPass – this should be the Last Pass for LastPass?

If you are using LastPass – STOP – move to another password manager ASAP.

In late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data. (link to CNET article)

I started Tweeting about this in March 2017 – almost six years ago. And again, later that day (The Register). If you use LastPass, it is time for you to do something now.

Personally, I use other tools – you can ask me about them!

If you have any questions or concerns, please do not hesitate to contact us.

Microsoft Teams Flaw allows hackers…

Recently (2022/09/16), security researchers discovered a flaw within Microsoft Teams that allows hackers to extract an account authentication token extremely easily.

While the style of attack isn’t unique, hackers are known for using this kind of technique to bypass multifactor authentication, masquerade as legitimate users, and steal information from organizations.

Even with how easy this attack is, Microsoft said this “does not meet our bar for immediate servicing as it requires an attacker to first gain access to a target network.”

There are some measures we’ve put in place to help mitigate hackers leveraging this kind of attack, including monitoring what is accessing these tokens and ensuring our security tools are configured to prevent malicious access to the tokens.

If you have any questions or concerns, please do not hesitate to contact us.

LastPass – Is This The Last Pass for LastPass

It may not be a secret… but was I have been largely ambivalent to LastPass. Although, some years ago, I Tweeted several times about security issues. There have been numerous issues since then (see below). The thing is that, as I sometimes say, “you don’t know what you don’t know”.

  • It may be that LastPass is more diligent and open with the issues they have had,
  • LastPass has more issues than competitors,
  • Other companies don’t tell us about the issues they have seen.

You pick. Will you give them a pass, or start to look elsewhere.

(Parenthetically [are you supposed to say that or just use parenthesis], this very issue is one of the reasons why Open Source can be so attractive… it gets continually “vetted” by the community.)

See Notice of Recent Security Incident – The LastPass Blog

To All LastPass Customers,

I want to inform you of a development that we feel is important for us to share with our LastPass business and consumer community.

Two weeks ago, we detected some unusual activity within portions of the LastPass development environment. After initiating an immediate investigation, we have seen no evidence that this incident involved any access to customer data or encrypted password vaults.

We have determined that an unauthorized party gained access to portions of the LastPass development environment through a single compromised developer account and took portions of source code and some proprietary LastPass technical information. Our products and services are operating normally.

In response to the incident, we have deployed containment and mitigation measures, and engaged a leading cybersecurity and forensics firm. While our investigation is ongoing, we have achieved a state of containment, implemented additional enhanced security measures, and see no further evidence of unauthorized activity.

Based on what we have learned and implemented, we are evaluating further mitigation techniques to strengthen our environment. We have included a brief FAQ below of what we anticipate will be the most pressing initial questions and concerns from you. We will continue to update you with the transparency you deserve.

Thank you for your patience, understanding and support.

Karim Toubba
CEO LastPass

 

Cybersecurity Insurance Notes

I recently came upon these frightening comments from cybersecurity insurance company Beazley:

  • 80% of ransomware victims experience a second attack
  • 68% of those victims experienced a second attack within less than a month
  • Ransom demands increase on new attacks
  • 40% of repeat victims pay a second ransom
  • 10% pay a third ransom
  • 1% pay a fourth ransom

You have been warned, cybersecurity is serious and needs to be managed.

Uptick in SMS Phishing (Smishing)

The United States Federal Communications Commission issued an alert to the increasing onslaught of smishing (SMS phishing) attacks attempting to steal personal data and money. You know it’s bad when flags are being raised at this level.

Why Is Smishing So Effective?

Hackers trick individuals to enter sensitive information by crafting text messages about bank problems, unclaimed bills, package delivery issues, and law enforcement actions.

We’ve observed the most successful campaigns using simple website redirects to impersonate bank and services websites to con individuals into entering credentials and/or MFA codes. In some cases, attackers are also spoofing where the message is coming from, attempting to add legitimacy to the message.

With the credentials, account information, and multifactor codes, threat actors gain access to accounts to make fraudulent purchases, transfer money, steal identify information, or simply sell account access to other criminals.

If you simply click the links contained within the messages, you get added to a list of people who have live numbers and follow these links. That allows hackers to further target you. Dangers are elevated when individuals supply threat actors with any additional data, including credentials or MFA codes.

The FCC recommends taking the following measures to defend against these kinds of attacks:

  • Do not respond to texts from unknown numbers or any others that appear suspicious.
  • Never share sensitive personal or financial information by text.
  • Lookout for misspellings or texts that originate from an email address.
  • Think twice before clicking any links in a text message.
  • If a friend sends you a text with a suspicious link that seems out of character, call them to ensure they weren’t hacked.
  • If a business sends you a text you weren’t expecting, look up their number online and call them back.
  • Remember that government agencies almost never initiate contact by phone or text.
  • Report texting scam attempts to your wireless service provider by forwarding unwanted texts to 7726 (or “SPAM”).
  • File a complaint with the FCC.

We continue to monitor the situation with additional novel techniques.

Content provided by Bruce McCully