South Dakota’s Noem Says Cell Phone Number Hacked


South Dakota Gov. Kristi Noem said Monday that her personal cell phone number has been hacked and blamed it on the release of her Social Security number amid hundreds of documents that the House Jan. 6 committee released last year.

The Republican governor, who is weighing a 2024 White House bid, said in a statement that her personal cell phone number had been linked to hoax calls. She has written letters urging U.S. Attorney General Merrick Garland and Congress to investigate the release of her family’s Social Security numbers after they were included in a list of personal information for thousands of people who visited the White House during then-President Donald Trump’s term.

“Callous mishandling of personal information has real world consequences,” Noem said in a statement. “If you get such a phone call from my number, know that I had no involvement.”

Noem said that South Dakota’s Fusion Center, a state agency that compiles criminal intelligence, has been notified of the cell phone hack. Her office did not offer further evidence that the release of her personal information led to the hack.

Related: Calls for UK to Probe Reported Hacking of Liz Truss’s Phone

Related: Catalan: Spain Spy Chief Admits Legally Hacking Some Phones

Related: Turn Off, Turn On: Simple Step Can Thwart Top Phone Hackers

The post South Dakota’s Noem Says Cell Phone Number Hacked appeared first on SecurityWeek.

Apple Patches Exploited iOS Vulnerability in Old iPhones


Apple on Monday announced the release of iOS 12.5.7, which brings a patch for an actively exploited vulnerability to old iPhones and iPads.

The tech giant released security updates for iOS, macOS and other products on Monday to patch many vulnerabilities, including a couple of WebKit flaws that can lead to arbitrary code execution.

In addition to updates for the latest versions of its operating systems, Apple announced the release of iOS 12.5.7, which patches CVE-2022-42856, a WebKit vulnerability that has been exploited by hackers against devices running iOS prior to version 15.1.

The vulnerability, whose exploitation was first seen by Google’s Threat Analysis Group (TAG), can be used for arbitrary code execution through specially crafted web content. 

Apple rolled out its first round of patches for CVE-2022-42856 in December 2022, when it released iOS 16.1.2. The fix was also included at the time in macOS Ventura 13.1, tvOS 16.2, Safari 16.2, and iOS and iPadOS 15.7.2.

Security updates for iOS 12 are increasingly rare, but Apple still releases patches when it needs to protect customers against exploited flaws

There is still no public information on the attacks involving CVE-2022-42856, but Google’s TAG typically tracks exploits used by sophisticated state-sponsored threat actors or commercial spyware vendors.

According to data from Google, five of the iOS vulnerabilities discovered in 2022 were exploited in the wild. 

Related: Apple Warns of macOS Kernel Zero-Day Exploitation

Related: Apple: WebKit Bugs Exploited to Hack Older iPhones

Related: Apple Fixes Exploited Zero-Day With iOS 16.1 Patch

The post Apple Patches Exploited iOS Vulnerability in Old iPhones appeared first on SecurityWeek.

Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones


A security researcher has published technical details on an Arm Mali GPU vulnerability leading to arbitrary kernel code execution and root on Pixel 6 phones using a malicious app installed on the targeted device.

Tracked as CVE-2022-38181 (CVSS score of 8.8), the issue is described as a use-after-free bug that impacts Arm Mali GPU driver versions prior to r40p0 (released on October 7, 2022).

The issue, GitHub Security Lab researcher Man Yue Mo explains, is related to a special function for sending ‘job chains’ to the GPU, but which also supports jobs implemented in the kernel, which run on the CPU instead (and which are called software jobs or softjobs).

“Due to the complexity involved in managing memory sharing between user space applications and the GPU, many of the vulnerabilities in the Arm Mali GPU involve the memory management code. The current vulnerability is another example of this, and involves a special type of GPU memory: the JIT memory,” Man Yue Mo notes in a detailed technical description of the vulnerability.

Some of the softjobs instruct the kernel to allocate and free JIT memory, and CVE-2022-38181 is related to these: malicious code can be used to add a JIT memory region to an eviction list, then create memory pressure to trigger a vulnerable eviction function, resulting in the JIT region being freed without freeing the pointer.

What the researcher discovered was that a freed JIT region could be replaced with a fake object, which could be used to potentially free arbitrary pages and then exploit these to gain read and write access to arbitrary memory.

As a final step in exploiting the vulnerability, an attacker would need to “map kernel code to the GPU address space to gain arbitrary kernel code execution, which can then be used to rewrite the credentials of our process to gain root, and to disable SELinux,” the researcher says.

Man Yue Mo reported the vulnerability to the Android security team in July 2022, along with proof-of-concept (PoC) code demonstrating how the issue can be exploited to execute code and gain root access on Pixel 6.

Initially, the Android team marked the flaw ‘high severity’, but it then informed the researcher that no patch will be released and redirected the report to the Arm team.

After Arm’s patch in October 2022, Google included a fix for this vulnerability in the January 2023 security update for Pixel devices, but without mentioning the CVE ID or the original bug IDs, the researcher says.

Related: Over 75 Vulnerabilities Patched in Android With December 2022 Security Updates

Related: Google Migrating Android to Memory-Safe Programming Languages

Related: Vulnerabilities in Popular Keyboard and Mouse Android Apps Expose User Data

The post Arm Vulnerability Leads to Code Execution, Root on Pixel 6 Phones appeared first on SecurityWeek.

Apple Patches WebKit Code Execution in iPhones, MacBooks


Apple’s product security response team on Monday rolled out patches to cover numerous serious security vulnerabilities affecting users of its flagship iOS and macOS platforms.

The most serious of the documented vulnerabilities affect WebKit and can expose both iOS and macOS devices to code execution attacks via booby-trapped web content, Apple warned in multiple advisories.

On the mobile side, Apple pushed out iOS and iPadOS 16.3 with fixes for more than a dozen documented security defects in a range of operating system components.  These include a trio of WebKit rendering engine bugs that expose devices to arbitrary code execution.

The WebKit flaws also affect users of Apple’s macOS Ventura, Monterey and Big Sur operating systems.

The iOS and iPadOS 16.3 update also fixes privacy- and data-exposure vulnerabilities in AppleMobileFileIntegrity, ImageIO, kernel, Maps, Safari, Screen Time and Weather.

The company also rolled out macOS Ventura 13.2 with patches for about 25 documented vulnerabilities, some serious enough to cause code execution attacks.

Related: Researchers: Brace for Zoho ManageEngine ‘Spray and Pray’ Attacks

Related: Microsoft Patch Tuesday: 97 Windows Vulns, 1 Exploited Zero-Day

Related: Zoom Patches High Risk Flaws on Windows, MacOS Platforms

The post Apple Patches WebKit Code Execution in iPhones, MacBooks appeared first on SecurityWeek.

Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution


Cybersecurity firm NCC Group has shared details on two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

An alternative app marketplace, the Galaxy Store comes pre-installed on Samsung’s Android devices and can be used alongside Google Play to download and install software.

Tracked as CVE-2023-21433, the first of the vulnerabilities that NCC Group has identified could allow rogue applications on a device to download and install additional software from the Galaxy Store, without the user’s knowledge.

The issue is described as an improper access control flaw, where the app store contained an exported activity that failed to safely handle incoming intents. The bug, NCC explains, only impacted devices running Android 12 and older.

The second vulnerability, CVE-2023-21434, is described as an improper input validation issue that could allow a local attacker to execute JavaScript code by launching a web page.

“It was found that a webview within the Galaxy App Store contained a filter which limited which domains that webview could browse to. However, the filter was not properly configured, which would allow the webview to browse to an attacker-controlled domain,” NCC Group explains.

The vulnerability can be exploited by tapping a malicious URL in Chrome or a pre-installed rogue application, which would bypass existing URL filtering.

The cybersecurity firm has published proof-of-concept (PoC) code for both these vulnerabilities.

The security defects were reported to Samsung in November and December 2022. Both issues were addressed in Galaxy Store version

Owners of Samsung devices running Android 12 or below are advised to update to the latest version of Galaxy Store as soon as possible.

Related: VMware Warns of Exploit for Recent NSX-V Vulnerability

Related: CISA Warns of Attacks Exploiting Recent Atlassian Bitbucket Vulnerability

Related: Owl Labs Patches Severe Vulnerability in Video Conferencing Devices

The post Samsung Galaxy Store Flaws Can Lead to Unwanted App Installations, Code Execution appeared first on SecurityWeek.

Sophisticated ‘VastFlux’ Ad Fraud Scheme That Spoofed 1,700 Apps Disrupted


A sophisticated ad fraud scheme that spoofed over 1,700 applications and 120 publishers peaked at 12 billion ad requests per day before being taken down, bot attack prevention firm Human says.

Dubbed VastFlux, the scheme relied on JavaScript code injected into digital ad creatives, which resulted in fake ads being stacked behind one another to generate revenue for the fraudsters. More than 11 million devices were impacted in the scheme.

The JavaScript code used by the fraudsters allowed them to stack multiple video players on top of one another, generating ad revenue when, in fact, the user was never shown the ads.

VastFlux, Human says, was an adaptation of an ad fraud scheme identified in 2020, targeting in-app environments that run ads, especially on iOS, and deploying code that allowed the fraudsters to evade ad verification tags.

At the first step of the fraudulent operation, an application would contact its primary supply-side partner (SSP) network to request a banner ad to be displayed.

Demand-side partners (DSPs) would place bids for the slot and, if the winner was VastFlux-connected, several scripts would be injected while a static banner image was placed in the slot.

The injected scripts would decrypt the ad configurations, which included a player hidden behind the banner and parameters for additional video players to be stacked. The script would also call to the command-and-control (C&C) server to request details on what to be displayed behind the banner.

The received instructions include both a publisher ID and an app ID that VastFlux would spoof. The size of the ads would also be spoofed and only certain third-party advertising tags were allowed to run inside the hidden video player stack.

What Human discovered was that as many as 25 ads could be stacked on top of one another, with the fraudsters receiving payment for all of them, although none would be shown to the user.

Additionally, the cybersecurity firm noticed that new ads would be loaded until the ad slot with the malicious ad code was closed.

“It’s in this capacity that VastFlux behaves most like a botnet; when an ad slot is hijacked, it renders sequences of ads the user can’t see or interact with,” Human notes.

From late June into July 2022, Human attempted to take down the scheme using three mitigation actions, which eventually resulted in the VastFlux traffic being reduced by more than 92%.

The cybersecurity firm says it has identified the fraudsters and worked with the victim organizations to mitigate the fraud, which resulted in the threat actors shutting down their C&C servers.

“As of December 6th, bid requests associated with VastFlux, which reached a peak of 12 billion requests per day, are now at zero,” Human says.

Related: Google, Apple Remove ‘Scylla’ Mobile Ad Fraud Apps After 13 Million Downloads

Related: US Recovers $15 Million From Ad Fraud Group

Related: Ad Fraud Operation Accounted for Large Amount of Connected TV Traffic

The post Sophisticated ‘VastFlux’ Ad Fraud Scheme That Spoofed 1,700 Apps Disrupted appeared first on SecurityWeek.