First Malware Designed for Apple M1 Chip Discovered in the Wild

One of the first malware samples tailored to run natively on Apple’s M1 chips has been discovered, suggesting a new development that indicates that bad actors have begun adapting malicious software to target the company’s latest generation of Macs powered by its own processors.

While the transition to Apple silicon has necessitated developers to build new versions of their apps to ensure better performance and compatibility, malware authors are now undertaking similar steps to build malware that are capable of executing natively on Apple’s new M1 systems, according to macOS Security researcher Patrick Wardle.

Wardle detailed a Safari adware extension called GoSearch22 that was originally written to run on Intel x86 chips but has since been ported to run on ARM-based M1 chips. The rogue extension, which is a variant of the Pirrit advertising malware, was first seen in the wild on November 23, 2020, according to a sample uploaded to VirusTotal on December 27.

“Today we confirmed that malicious adversaries are indeed crafting multi-architecture applications, so that their code will natively run on M1 systems,” said Wardle in a write-up published yesterday. “The malicious GoSearch22 application may be the first example of such natively M1 compatible code.”

While M1 Macs can run x86 software with the help of a dynamic binary translator called Rosetta, the benefits of native support mean not only efficiency improvements but also the increased likelihood of staying under the radar without attracting any unwanted attention.

First documented in 2016, Pirrit is a persistent Mac adware family notorious for pushing intrusive and deceptive advertisements to users that, when clicked, downloads and installs unwanted apps that come with information gathering features.

For its part, the heavily obfuscated GoSearch22 adware disguises itself as a legitimate Safari browser extension when in fact, it collects browsing data and serves a large number of ads such as banners and popups, including some that link to dubious websites to distribute additional malware.

Wardle said the extension was signed with an Apple Developer ID “hongsheng_yan” in November to further conceal its malicious content, but it has since been revoked, meaning the application will no longer run on macOS unless attackers re-sign it with another certificate.

Although the development highlights how malware continues to evolve in direct response to both hardware changes, Wardle warned that “(static) analysis tools or antivirus engines may struggle with arm64 binaries,” with detections from industry-leading security software dropping by 15% when compared to the Intel x86_64 version.

GoSearch22’s malware capabilities may not be entirely new or dangerous, but that’s beside the point. If anything, the emergence of new M1-compatible malware signals this is just a start, and more variants are likely to crop up in the future.

Source :

New Bluetooth Vulnerability Exposes Billions of Devices to Hackers

Academics from École Polytechnique Fédérale de Lausanne (EPFL) disclosed a security vulnerability in Bluetooth that could potentially allow an attacker to spoof a remotely paired device, exposing over a billion of modern devices to hackers.

The attacks, dubbed Bluetooth Impersonation AttackS or BIAS, concern Bluetooth Classic, which supports Basic Rate (BR) and Enhanced Data Rate (EDR) for wireless data transfer between devices.

"The Bluetooth specification contains vulnerabilities enabling to perform impersonation attacks during secure connection establishment," the researchers outlined in the paper. "Such vulnerabilities include the lack of mandatory mutual authentication, overly permissive role switching, and an authentication procedure downgrade."

Given the widespread impact of the vulnerability, the researchers said they responsibly disclosed the findings to the Bluetooth Special Interest Group (SIG), the organization that oversees the development of Bluetooth standards, in December 2019.

The Bluetooth SIG acknowledged the flaw, adding it has made changes to resolve the vulnerability. "These changes will be introduced into a future specification revision," the SIG said.

The BIAS Attack

For BIAS to be successful, an attacking device would need to be within the wireless range of a vulnerable Bluetooth device that has previously established a BR/EDR connection with another Bluetooth device whose address is known to the attacker.

The flaw stems from how two previously paired devices handle the long term key, also known as link key, that's used to mutually authenticate the devices and activate a secure connection between them.

The link key also ensures that users don't have to pair their devices every time a data transfer occurs between, say, a wireless headset and a phone, or between two laptops.

The attacker, then, can exploit the bug to request a connection to a vulnerable device by forging the other end's Bluetooth address, and vice versa, thus spoofing the identity and gaining full access to another device without actually possessing the long term pairing key that was used to establish a connection.

Put differently, the attack allows a bad actor to impersonate the address of a device previously paired with the target device.

What's more, BIAS can be combined with other attacks, including the KNOB (Key Negotiation of Bluetooth) attack, which occurs when a third party forces two or more victims to agree on an encryption key with reduced entropy, thus allowing the attacker to brute-force the encryption key and use it to decrypt communications.

Devices Not Updated Since December 2019 Affected

With most standard-compliant Bluetooth devices impacted by the vulnerability, the researchers said they tested the attack against as many as 30 devices, including smartphones, tablets, laptops, headphones, and single-board computers such as Raspberry Pi. All the devices were found to be vulnerable to BIAS attacks.

The Bluetooth SIG said it's updating the Bluetooth Core Specification to "avoid a downgrade of secure connections to legacy encryption," which lets the attacker initiate "a master-slave role switch to place itself into the master role and become the authentication initiator."

In addition to urging companies to apply the necessary patches, the organization is recommending Bluetooth users to install the latest updates from device and operating system manufacturers.

"The BIAS attacks are the first uncovering issues related to Bluetooth's secure connection establishment authentication procedures, adversarial role switches, and Secure Connections downgrades," the research team concluded. "The BIAS attacks are stealthy, as Bluetooth secure connection establishment does not require user interaction."

Source :

Zero-Day Warning: It’s Possible to Hack iPhones Just by Sending Emails

Watch out Apple users!

The default mailing app pre-installed on millions of iPhones and iPads has been found vulnerable to two critical flaws that attackers are exploiting in the wild, at least, from the last two years to spy on high-profile victims.

The flaws could eventually let remote hackers secretly take complete control over Apple devices just by sending an email to any targeted individual with his email account logged-in to the vulnerable app.

According to cybersecurity researchers at ZecOps, the bugs in question are remote code execution flaws that reside in the MIME library of Apple's mail app—first, due to an out-of-bounds write bug and second, is a heap overflow issue.

Though both flaws get triggered while processing the content of an email, the second flaw is more dangerous because it can be exploited with 'zero-click,' where no interaction is required from the targeted recipients.

8-Years-Old Apple Zero-Days Exploited in the Wild

According to the researchers, both flaws existed in various models of iPhone and iPad for the last 8 years since the release of iOS 6 and, unfortunately, also affect the current iOS 13.4.1 with no patch yet update available for the regular versions.

What's more worrisome is that multiple groups of attackers are already exploiting these flaws—for at least 2 years as zero-days in the wild—to target individuals from various industries and organizations, MSSPs from Saudi Arabia and Israel, and journalists in Europe.

"With very limited data, we were able to see that at least six organizations were impacted by this vulnerability – and the full scope of abuse of this vulnerability is enormous," the researchers said.

"While ZecOps refrain from attributing these attacks to a specific threat actor, we are aware that at least one 'hackers-for-hire' organization is selling exploits using vulnerabilities that leverage email addresses as the main identifier."

According to the researchers, it could be tough for Apple users to know if they were targeted as part of these cyber-attacks because it turns out that attackers delete the malicious email immediately after gaining remote access to the victims' device.

"Noteworthy, although the data confirms that the exploit emails were received and processed by victims' iOS devices, corresponding emails that should have been received and stored on the mail-server were missing. Therefore, we infer that these emails were deleted intentionally as part of an attack's operational security cleanup measures," the researchers said.

"Besides a temporary slowdown of a mobile mail application, users should not observe any other anomalous behavior."

To be noted, on successful exploitation, the vulnerability runs malicious code in the context of the MobileMail or maild application, allowing attackers "to leak, modify, and delete emails."

However, to remotely take full control over the device, attackers need to chain it together with a separate kernel vulnerability.

Though ZecOps hasn't mentioned any detail on what kind of malware attackers have been using to target users, it did believe that attackers are exploiting the flaws in combination with other kernel issues to successfully spy on their victims.

Beware! No Patch Yet Available

Researchers spotted in-the-wild-attacks and discovered the related flaws almost two months ago and reported it to the Apple security team.

At the time of writing, only the beta 13.4.5 version of iOS, released just last week, contains security patches for both zero-day vulnerabilities.

For millions of iPhone and iPad users, a public software patch will soon be available with the release of the upcoming iOS update.

Meanwhile, Apple users are strongly advised to do not to use their smartphones' built-in mail application; instead, temporarily switch to Outlook or Gmail apps.

In a piece of separate news, we today reported about another in-the-wild iPhone hacking campaign where Chinese hackers have been caught targeting Uyghur Muslims with exploit iOS chains and spyware apps.


Source :