A New Era of macOS Sandbox Escapes: Diving into an Overlooked Attack Surface and Uncovering 10+ New Vulnerabilities
This is a blog post for my presentation at the conference POC2024. The slides are uploaded here.
In the macOS system, most processes are running in a restricted sandbox environment, whether they are Apple’s own services or third-party applications. Consequently, once an attacker gains Remote Code Execution (RCE) from these processes, their capabilities are constrained. The next step for the attacker is to circumvent the sandbox to gain enhanced execution capabilities and broader file access permissions.
But how to discover sandbox escape vulnerabilities? Upon reviewing the existing issues, I unearthed a significant overlooked attack surface and a novel attack technique. This led to the discovery of multiple new sandbox escape vulnerabilities: CVE-2023-27944, CVE-2023-32414, CVE-2023-32404, CVE-2023-41077, CVE-2023-42961, CVE-2024-27864, CVE-2023-42977, and more.
Microlise, a telematics company, said a network intrusion affected services that it provides to British prisoner escort vans.
The global operation was intended to root out malicious IP addresses used for phishing, ransomware and infostealer malware.
A threat actor attempted to use an AV/EDR bypass tool in an extortion attempt. Instead, the tool provided Unit 42 insight into the threat actor.
Detect the ClickFix tactic: a social engineering technique using fake video calls and CAPTCHA pages to deploy malicious code.
The company has said it didn't suffer a breach, but announced a threat actor downloaded data on a public-facing DevHub environment.
Schneider Electric has confirmed a developer platform was breached after a threat actor claimed to steal 40GB of data from the company's JIRA server.
In a rather novel attack chain, attackers deploy a custom-made emulated QEMU Linux box to persist on endpoints, delivered through phishing emails.
Health care breaches lead to legislation
Highlights of the new standard include:
In the last few days, many Tor relay operators - mainly hosting relay nodes on providers like Hetzner - began receiving abuse notices.
All the abuses reported many failed SSH login attempts - part of a brute force attack - coming from their Tor relays.
Tor relays normally only transport traffic between a guard and an exit node of the Tor network, and per-se should not perform any SSH connections to internet-facing hosts, let alone performing SSH brute force attacks.
The president and former prime minister were among targets of hackers selling highly sensitive data.
AEP GmbH was the victim of a targeted cyber attack on October 28, which led to the partial encryption of the company's IT systems. The company's own security systems detected the attack. The company provides information about this on its website.
The Dstat.cc DDoS review platform has been seized by law enforcement, and two suspects have been arrested after the service helped fuel distributed denial-of-service attacks for years.
A vulnerability categorized as “critical” in a photo app installed by default on Synology network-attached storage devices could give attackers the ability to steal data and worse.
Discover the latest insights on the Quad7 / 7777 botnet in our detailed analysis. Learn about the expansion of this resilient threat, its targeting patterns, and proactive measures to defend against compromised routers. Stay informed with our up-to-date findings and recommendations.
Uncover the secrets of the Quad7 botnet and its ever-evolving toolset. Learn about the new backdoors and protocols used by these operators.
Since August 2023, Microsoft has observed intrusion activity targeting and successfully stealing credentials from multiple Microsoft customers that is enabled by highly evasive password spray attacks. Microsoft has linked the source of these password spray attacks to a network of compromised devices we track as CovertNetwork-1658, also known as xlogin and Quad7 (7777). Microsoft is […]
Sophos X-Ops unveils five-year investigation tracking China-based groups targeting perimeter devices
