CERT-In Warns Apple Users: Critical Vulnerabilities Require Immediate Updates
Executive Summary:
In the recent advisory the Indian Computer Emergency Response Team (CERT-In) has released a high severity warning in the older versions of the software across Apple devices. This high severity rating is because of the multiple vulnerabilities reported in Apple products which could allow the attacker to unfold the sensitive information, and execute arbitrary code on the targeted system. This warning is extremely useful to remind of the necessity to have the software up to date to prevent threats of a cybernature. It is important to update the software to the latest versions and cyber hygiene practices.
Devices Affected:
CERT-In advisory highlights significant risks associated with outdated software on the following Apple devices:
- iPhones and iPads: iOS versions that are below 18 and the 17.7 release.
- Mac Computers: All macOS builds before 14.7 (20G71), 13.7 (20H34), and earlier 20.2 for Sonoma, Ventura, Sequoia, respectively.
- Apple Watches: watchOS versions prior to 11
- Apple TVs: tvOS versions prior to 18
- Safari Browsers: versions prior to 18
- Xcode: versions prior to 16
- visionOS: versions prior to 2
Details of the Vulnerabilities:
The vulnerabilities discovered in these Apple products could potentially allow attackers to perform the following malicious activities:
- Access sensitive information: The attackers could easily access the sensitive information stored in other parts of the violated gadgets.
- Execute arbitrary code: The web page could be compromised with malcode and run on the targeted system which in the worst scenario would give the intruder full Administrator privileges on the device.
- Bypass security restrictions: Measures agreed to safeguard the device and information contained on it may be easily bypassed and the system left open to more proliferation.
- Cause denial-of-service (DoS) attacks: The vulnerabilities could be used to cause the targeted device or service to be unavailable to the rightful users.
- Perform spoofing attacks: There could be a situation where the attackers created fake entities or users or accounts to have a way into important information or do other unauthorized activities.
- Elevate privileges: It is also stated that weaknesses might be exploited to authorize the attacker a higher level of privileges in the system they are targets.
- Engage in cross-site scripting (XSS) attacks: Some of them make the associated Web applications/sites prone to XSS attacks by injecting hostile scripts into Web page code.
Vulnerabilities:
CVE-2023-42824
- Attack vector could allow a local attacker to elevate their privileges and potentially execute arbitrary code.
Affected System
- Apple's iOS and iPadOS software
CVE-2023-42916
- To improve the out of bounds read it was mitigated with improved input validation which was resolved later.
Affected System
- Safari, iOS, iPadOS, macOS, and Apple Watch Series 4 and later devices running watchOS 10.2
CVE-2023-42917
- leads to arbitrary code execution, and there have been reports of it being exploited in earlier versions of iOS.
Affected System
- Apple's Safari browser, iOS, iPadOS, and macOS Sonoma systems
Recommended Actions for Users:
To mitigate these risks, that users take immediate action:
- Update Software: Ensure all your devices are on the most current version of the operating systems they use. Repetitive updates have important security updates that fix identified weaknesses or flaws within the system.
- Monitor Device Activity: Stay vigilant if something doesn’t seem right; if your gadgets are accessed by someone who isn’t you.
- Always use strong, distinct passwords and use two-factor authentication.
- Install and update the antivirus and Firewall softwares.
- Avoid downloading any applications or clicking link from unknown sources
Conclusion:
The advisory from CERT-In, clearly demonstrates the fundamental need of keeping the software on all Apple devices up to date. Consumers need to act right away to patch their devices and apply best security measures like using multiple factors for login and system scanning. This advisory has come out when Apple has just released new products into the market such as the iPhone 16 series in India. When consumers embrace new technologies it is important for them to observe relevant measures of security precautions. Maintaining good cyber hygiene is a critical process for the protection against new threats.
Reference:
- https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES02&VLCODE=CIAD-2023-0043
- https://www.cve.org/CVERecord?id=CVE-2023-42916
- https://www.cve.org/CVERecord?id=CVE-2023-42917
- https://www.bizzbuzz.news/technology/gadjets/cert-in-issues-advisory-on-vulnerabilities-affecting-iphones-ipads-and-macs-1337253#google_vignette
- https://www.wionews.com/videos/india-warns-apple-users-of-high-severity-security-risks-in-older-software-761396
Related Blogs
Introduction
According to a draft of the Digital Personal Data Protection Bill, 2023, the Indian government may have the authority to reduce the age at which users can agree to data processing to 14 years. Companies requesting consent to process children’s data, on the other hand, must demonstrate that the information is handled in a “verifiably safe” manner.
The Central Government might change the age limit for consent
The proposed Digital Personal Data Protection Bill 2022 in India attempts to protect child’s personal data under the age of 14 through several provisions. The proposed lower age of consent in India under the Digital Personal Data Protection Bill 2022 is to loosen relevant norms and fulfil the demands of Internet corporations. After a year, the government may reconsider the definition of a child with the goal of expanding coverage to children under the age of 14. The proposed shift in the age of consent has elicited varied views, with some experts suggesting that it might potentially expose children to data processing concerns.
The definition of a child is understood to have been amended in the data protection Bill, which is anticipated to be submitted in Parliament’s Monsoon session, to an “individual who has not completed the age of eighteen years or such lower age as the central government may notify.” A child was defined as an “individual who has not completed eighteen years of age” in the 2022 draft.
Under deemed consent, the government has also added the 'legitimate business interest' clause
This clause allows businesses to process personal data without obtaining explicit consent if it is required for their legitimate business interests. The measure recognises that corporations have legitimate objectives, such as innovation, that can be pursued without jeopardising privacy.
Change in Data Protection Boards
The Digital Personal Data Protection Bill 2022, India’s new plan to secure personal data, represents a significant shift in strategy by emphasising outcomes rather than legislative compliance. This amendment will strengthen the Data Protection Board’s position, as its judgments on noncompliance complaints will establish India’s first systematic jurisprudence on data protection. The Cabinet has approved the bill and may be introduced in Parliament in the Monsoon session starting on July 20.
The draft law leaves the selection of the Data Protection Board’s chairperson and members solely to the discretion of the central government, making it a central government set-up board. The government retains control over the board’s composition, terms of service, and so on. The bill does specify, however, that the Data Protection Board would be completely independent and will have a strictly adjudicatory procedure to adjudicate data breaches. It has the same status as a civil court, and its rulings can be appealed.
India's first regulatory body in Charge of preserving privacy
Some expected amendments to the law include a blacklist of countries to which Indian data cannot be transferred and fewer penalties for data breaches. The bill’s scope is limited to processing digital personal data within Indian territory, which means that any offline personal data and anything not digitised will be exempt from the legislation’s jurisdiction. Furthermore, the measure is silent on the governance of digital paper records.
Conclusion
The Digital Personal Data Protection Bill 2022 is a much-needed piece of legislation that will replace India’s current data protection regime and assist in preserving individuals’ rights. Central Government is looking for a change in the age for consent from 18 to 14 years. The bill underlines the need for verifiable parental consent before processing a child’s personal data, including those under 18. This section seeks to ensure that parents or legal guardians have a say in the processing of their child’s personal data.
Executive Summary:
The internet is a nest of scams and there's much need to be careful with predatory ideas that prey on the naïve people. Within the recent days, a malicious campaign has emerged falsely alleging 28 day free recharge by courtesy of the Prime Minister Narendra Modi. This blog seeks to analyze the tactics used by this scam in luring the victims and give an overview on how one can identify and keep away from such fraudulent activities.
Claim:
In view of the increasing support for the BJP 2024 election, a rumor has allegedly claimed that the Prime Minister Narendra Modi offering a free recharge with a validity period of up-to twenty eight days at cost of ₹239 to all Indian users. The message encourages the users to click on a given link in order to redeem the free recharge, pointing out that this offer is valid until January 26th of 2024.
The Deceptive Journey:
- Insecure Links:The research begins with a suspicious link (http://offerintro[.]com/BJP2024), without any credibility that honest sites use to protect the user information. We should keep in mind that the links which aren’t secure may easily lead to phishing and other cyber threats.
- Multiple Redirects:When users click the link, they are immediately directed through a series of links. This common tactic used by scammers is designed to hide the true origin of their fraudulent scheme, making it difficult for users' efforts to identify the malicious activity.
- False Promises and Fake Comments:The landing page has a banner of the Prime Minister Narendra Modi that makes it look like this is an official channel and hence authentic. Further, false comments can be also included to compliment the alleged initiative. But remember that genuine government announcements are made through legal channels, not by the shady websites.
- Mobile Number Request:As the next step, the users enter their mobile numbers in the specified field. True initiatives never really need the personal information to pass through unofficial lines. This is actually a trick that scammers use to acquire the important information.
- Share to Activate:Once a user has entered the mobile number, he/she is prompted to share the link with others in order to “activate” promised free recharge. This method is most often used by scammers for spreading their fraudulent message beyond the targeted victim.
- Fake Progress Display:When the users have done their part by sharing the link, a false recharge in progress bar is shown to make them believe that it has started. But the consumers are unwittingly playing a part in the fraud.
- Recharge Completion Pop-up:The last stage of fraud includes a pop-up saying that the recharge is done; leaving users with the false belief that they have benefited from a legitimate government initiative.
What we Analyze :
- It is important to note that at this particular point, there has not been any official declaration or a proper confirmation of an offer made by the Prime Minister or from their government. So, people must be very careful when encountering such messages because they are often employed as lures in phishing attacks or misinformation campaigns. Before engaging or transmitting such claims, it is always advisable to authenticate the information from trustworthy sources in order to protect oneself online and prevent the spread of wrongful information.
- The campaign is hosted on a third party domain instead of any official Government Website, this raised suspicion. Also the domain has been registered in very recent times.
- Domain Name: offerintro[.]com
- Registry Domain ID: 2791466714_DOMAIN_COM-VRSN
- Registrar WHOIS Server: whois.godaddy[.]com
- Registrar URL: https://www.godaddy[.]com
- Registrar: GoDaddy[.]com, LLC
- Registrar IANA ID: 146
- Updated Date: 2023-06-18T20:37:20Z
- Creation Date: 2023-06-18T20:37:20Z
- Registrar Registration Expiration Date: 2024-06-18T20:37:20Z
- Name Server: ANAHI.NS.CLOUDFLARE.COM
- Name Server: GARRETT.NS.CLOUDFLARE.COM
CyberPeace Advisory:
- Stay Informed: Beware of the scams and keep yourself updated through authentic government platforms.
- Verify Website Security: Do not get engaged with any insecure HTTP links but focus on URLs that have secure encryption (HTTPS).
- Protect Personal Information: However, be cautious when sharing personal information – especially in a non-official channel.
- Report Suspicious Activity: If you discover any scams or fraudulent activities, report it and the relevant sites to help avoid others from being defrauded of their hard earned money.
Conclusion:
Summing up, Prime Minister Narendra Modi Free Recharge fraud is an excellent illustration that there is always some danger within cyberspace. The way of the method, from insecure links and also multiple redirects to false promises and really data collection make it clear that internet users should be more careful. The importance of staying up-to-date with what is happening in this new digital world, verifying credibility and also privacy are paramount. By being cautiously aware, the people can keep themselves safe from such fraudulent acts and also play a role in ensuring security even for an online world. Remember that an offer which is in a perfect world should be illegal. Therefore, after doing a thorough research we found this campaign to be fake.
Executive Summary:
This report deals with a recent cyberthreat that took the form of a fake message carrying a title of India Post which is one of the country’s top postal services. The scam alerts recipients to the failure of a delivery due to incomplete address information and requests that they click on a link (http://iydc[.]in/u/5c0c5939f) to confirm their address. Privacy of the victims is compromised as they are led through a deceitful process, thereby putting their data at risk and compromising their security. It is highly recommended that users exercise caution and should not click on suspicious hyperlinks or messages.
False Claim:
The fraudsters send an SMS stating the status of delivery of an India Mail package which could not be delivered due to incomplete address information. They provide a deadline of 12 hours for recipients to confirm their address by clicking on the given link (http://iydc[.]in/u/5c0c5939f). This misleading message seeks to fool people into disclosing personal information or compromising the security of their device.
The Deceptive Journey:
- First Contact: The SMS is sent and is claimed to be from India Post, informs users that due to incomplete address information the package could not be delivered.
- Recipients are then expected to take action by clicking on the given link (http://iydc[.]in/u/5c0c5939f) to update the address. The message creates a panic within the recipient as they have only 12 hours to confirm their address on the suspicious link.
- Click the Link: Inquiring or worried recipients click on the link.
- User Data: When the link is clicked, it is suspected to launch possible remote scripts in the background and collect personal information from users.
- Device Compromise: Occasionally, the website might also try to infect the device with malware or take advantage of security flaws.
The Analysis:
- Phishing Technique: The scam allures its victims with a phishing technique and poses itself as the India Post Team, telling the recipients to click on a suspicious link to confirm the address as the delivery package can’t be delivered due to incomplete address.
- Fake Website Creation: Victims are redirected to a fraudulent website when they click on the link (http://iydc[.]in/u/5c0c5939f) to update their address.
- Background Scripts: Scripts performing malicious operations such as stealing the visitor information, distributing viruses are suspected to be running in the background. This script can make use of any vulnerability in the device/browser of the user to extract more info or harm the system security.
- Risk of Data Theft: This type of fraud has the potential to steal the data involved because it lures the victims into giving their personal details by creating fake urgency. The threat actors can use it for various illegal purposes such as financial fraud, identity theft and other criminal purposes in future.
- Domain Analysis: The iydc.in domain was registered on the 5th of April, 2024, just a short time ago. Most of the fraud domains that are put up quickly and utilized in criminal activities are usually registered in a short time.
- Registrar: GoDaddy.com, LLC, a reputable registrar, through which the domain is registered.
- DNS: Chase.ns.cloudflare.com and delilah.ns.cloudflare.com are the name servers used by Cloudflare to manage domain name resolution.
- Registrant: Apart from the fact that it is in Thailand, not much is known about the registrant probably because of using the privacy reduction plugins.
- Domain Name: iydc.in
- Registry Domain ID: DB3669B210FB24236BF5CF33E4FEA57E9-IN
- Registrar URL: www.godaddy.com
- Registrar: GoDaddy.com, LLC
- Registrar IANA ID: 146
- Updated Date: 2024-04-10T02:37:06Z
- Creation Date: 2024-04-05T02:37:05Z (Registered in very recent time)
- Registry Expiry Date: 2025-04-05T02:37:05Z
- Registrant State/Province: errww
- Registrant Country: TH (Thailand)
- Name Server: delilah.ns.cloudflare.com
- Name Server: chase.ns.cloudflare.com
Note: Cybercriminals used Cloudflare technology to mask the actual IP address of the fraudulent website.
CyberPeace Advisory:
- Do not open the messages received from social platforms in which you think that such messages are suspicious or unsolicited. In the beginning, your own discretion can become your best weapon.
- Falling prey to such scams could compromise your entire system, potentially granting unauthorized access to your microphone, camera, text messages, contacts, pictures, videos, banking applications, and more. Keep your cyber world safe against any attacks.
- Never reveal sensitive data such as your login credentials and banking details to entities where you haven't validated as reliable ones.
- Before sharing any content or clicking on links within messages, always verify the legitimacy of the source. Protect not only yourself but also those in your digital circle.
- Verify the authenticity of alluring offers before taking any action.
Conclusion:
The India Post delivery scam is an example of fraudulent activity that uses the name of trusted postal services to trick people. The campaign is initiated by using deceptive texts and fake websites that will trick the recipients into giving out their personal information which can later be used for identity theft, financial losses or device security compromise. Technical analysis shows the sophisticated tactics used by fraudsters through various techniques such as phishing, data harvesting scripts and the creation of fraudulent domains with less registration history etc. While encountering such messages, it's important to verify their authenticity from official sources and take proactive measures to protect both your personal information and devices from cyber threats. People can reduce the risk of falling for online scams by staying informed and following cybersecurity best practices.
