Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label LightSpy. Show all posts
Technology
CyberCrime Cyberhackers Cybersecurity CyberThreat iOS Devices LightSpy Technology

LightSpy Update Expands Surveillance on iOS Devices

 


It has been discovered that a newer version of LightSpy spyware, commonly used to target iOS devices, has been enhanced with the capability to compromise the security and stability of the device. LightSpy for macOS was first discovered by ThreatFabric, which published a report in May 2024 in which they described their findings with the malware. 

After a thorough investigation of the LightSpy client and server systems, the analysts discovered that they were using the same server to manage both the macOS and iOS versions of the program. IPhones are undeniably more secure than Android devices, however, Google has been making constant efforts to close the gap, so Apple devices are not immune to attacks. 

The fact that Apple now regularly alerts consumers when the company detects an attack, the fact that a new cyber report just released recently warns that iPhones are under attack from hackers who are equipped with enhanced cyber tools, and the fact that "rebooting an Apple device regularly is a good practice for Apple device owners" is a better practice. LightSpy is a program that many users are familiar with. Several security firms have reported that this spyware has already been identified on multiple occasions. 

The spyware attacks iOS, macOS, and Android devices at the same time. In any case, it has resurfaced in the headlines again, and ThreatFabric reports that it has been improved greatly. Among other things, the toolset has increased considerably from 12 to 28 plugins - notably, seven of these plugins are destructive, allowing them to interfere with the device's boot process adversely. The malware is being distributed by attack chains utilizing known security flaws in Apple iOS and macOS as a means of triggering a WebKit exploit. 

A file with an extension ".PNG" is dropped by this exploit, but this file, in fact, is a Mach-O binary that exploits a memory corruption flaw known as CVE-2020-3837 to retrieve next-stage payloads from a remote server. LightSpy comes with a component called FrameworkLoader, which in turn downloads the application's main module, the Core module, and the available plugins, which have increased from 12 to 28 since LightSpy 7.9.0 was released. 

The Dutch security company reports that after the Core starts up, it will perform an Internet connectivity check using Baidu.com domains and, upon checking those arguments, the arguments will be compared against those passed from FrameworkLoader, which will be used to determine the [command-and-control] data and working directory," the security company stated. This means that the Core will create subfolders for log files, databases, and exfiltrated data using the /var/containers/Bundle/AppleAppLit/working directory path. 

This plugin can collect a wide range of data, including Wi-Fi information, screenshots, location, iCloud Keychain, sound recordings, photos, browser history, contacts, call history, and SMS messages. Additionally, these plugins can be used to gather information from apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp as well. In the latest version of LightSpy (7.9.0), a component called FrameworkLoader is responsible for downloading and installing LightSpy's Core module and its various plugins, which has increased in number from 12 to 28 in the most recent version. 

Upon Core's startup, it will query the Baidu.com domain for Internet connectivity before examining the arguments provided by FrameworkLoader as the working directory and command-and-control data to determine whether it can establish Internet connectivity. In the Core, subfolders for logs, databases, and exfiltrated data are made using the working directory path /var/containers/Bundle/AppleAppLit/ as a default path. 

Among the many details that the plugins can collect are information about Wi-Fi networks, screenshots, locations, iCloud Keychain, sound recordings, images, contacts, call history, and SMS messages, just to mention a few. The apps can also be configured to collect data from apps such as Files, LINE, Mail Master, Telegram, Tencent QQ, WeChat, and WhatsApp as well as from search engines. It should be noted that some of the recent additions to Google Chrome include some potentially damaging features that can erase contacts, media files, SMS messages, Wi-Fi settings profiles, and browsing history in addition to wiping contacts and media files. 

In some cases, these plugins are even capable of freezing the device and preventing it from starting up again once it is frozen. It has also been discovered that some LightSpy plugins can be used to create phony push alerts with a different URL embedded within them. Upon analyzing the C2 logs, it was found that 15 devices were infected, out of which eight were iOS devices. 

Researchers suspect that most of these devices are intentionally spreading malware from China or Hong Kong, and frequently connect to a special Wi-Fi network called Haso_618_5G, which resembles a test network and seems to originate from China or Hong Kong. It was also discovered during ThreatFabric's investigation that Light Spy contains a unique plugin for recalculating location data specific to Chinese systems, suggesting that the spyware's developers may live in China, as the information it contains appears to have been obtained from Chinese sources. 

LightSpy's operators heavily rely on "one-day exploits," and consequently they take advantage of vulnerabilities as soon as they become public information. Using ThreatFabric's recommendation as a guide to iOS users, they are advised to reboot their iOS devices regularly since LightSpy, since it relies on a "rootless jailbreak," can not survive a reboot, giving users a simple, but effective, means to disrupt persistent spyware infections on their devices. 

As the researchers say, "The LightSpy iOS case illustrates the importance of keeping system updates current," and advise users to do just that. "Terrorists behind the LightSpy attack monitor security researchers' publications closely, using exploits that have recently been reported by security researchers as a means of delivering payloads and escalating their privileges on affected devices." Most likely, the infection takes place through the use of lures, which lead to infected websites used by the intended victim groups, i.e. so-called watering holes on the Internet. 

For users concerned about potential vulnerability to such attacks, ThreatFabric advises a regular reboot if their iOS is not up-to-date. Although rebooting will not prevent the spyware from re-infecting the device, it can reduce the amount of data attackers can extract. Keeping the device restarted regularly provides an additional layer of defence by temporarily disrupting spyware's ability to persistently gather sensitive information.
Read more »
Spyware
Cyber Attacks CyberCrime cybercriminals Cybersecurity CyberThreat iPhone LightSpy Spyware

LightSpy Spyware: A Chinese Affair Targeting iPhone Users in South Asia

 


The LightSpy spyware has been used by cyberespionage groups to spy on users of iPhones, iPads, and other mobile devices in the South Asian region in a recent cyberespionage campaign. According to reports, the cybercriminals behind this cybercriminal campaign are China-based hackers that have been planning surveillance attacks against a specific area. 

As a bonus, this latest version of LightSpy, codenamed 'F_Warehouse,' features a modular structure which significantly enhances the spying abilities of the program. As a result of some of the most alleged infected individuals who are coming from India, initial investigations suggest a possible focus on the country. 

Researchers found that Apple iOS spyware, known as LightSpy, is being used in cyber espionage campaigns targeting South Asia. This sophisticated mobile spyware has resurfaced after a period of inactivity that dates back several months. In a report published by the Blackberry Threat Research and Intelligence Team, cyber security researchers have stated that the most recent version of the LightSpy campaign uses an extremely sophisticated spying framework in combination with a modular framework. 

To protect its command and control servers from being interception and detected, LightSpy employs a certificate-pinning strategy. It is believed that the campaign primarily targets iPhone users in India, although there have been reports of incidents taking place in Bangladesh, Sri Lanka, Afghanistan, Pakistan, Bhutan, the Maldives, and Iran in recent times as well. Hackers have been suspected of exploiting hacker websites to facilitate the deployment of LightSpy spyware, as previously observed in previous campaigns, by using hacked news websites that had Hong Kong-related stories, as they did in previous campaigns. 

In a BlackBerry report, the company uncovered that the loader enables the delivery of the core implant along with several plugins that enhance the capabilities of the primary backdoor. It is considered that LightSpy is an iOS backdoor attack that spreads via watering hole attacks, in which popular websites are infected and then targeted by attackers who attack them when they visit these infected websites and gain access to their systems or mobiles. 

According to the BlackBerry security agency, it has been discovered that the latest spyware attacks may have been coordinated by news websites that were infected and visited by targeted individuals who then installed LightSpy on their computers. A spyware program such as this usually gathers information such as phone numbers, SMS messages, exact location and voicemail from your computer, among other things. 

The report suggests that the attack was carried out by Chinese hackers, as its infrastructure and functionality were very similar to that of DragonEgg spyware, a Chinese nation-state hacker group which has been linked to the attack. Accordingly, Chinese hackers are suspected of conducting the attack. Specifically, the report claims that LightSpy is capable of analyzing location data, sound recordings, contacts, SMS messages, and data from apps such as WeChat and Telegram to extract sensitive information from your phone. 

There is a growing threat of mobile espionage threat campaigns that is highlighted by the re-emergence of the LightSpy spyware implants. Apple’s security updates are all the more important after the recent mercenary spyware attacks that affected iPhone users in 92 countries. The campaign is in line with the recent mercenary spyware attack that had impacted iPhone users all over the world. 

As the agency points out, the most recent version of LightSpy discovered this month is also capable of retrieving files and data from popular apps like Telegram, WeChat, and iCloud Keychain data as well as the history of your web browsers in Safari and Chrome. There is indication that state-sponsored involvement may have been involved in the development of LightSpy in the form of permission pinning which prevents communication interception with its C2 server, as well as the presence of Chinese language artefacts in the implant's source code. 

According to Apple's recent threat notifications, which have been sent to users in 92 countries, including India, the situation has become more severe. It is unsurprising that LightSpy, a mobile spy tool with attractive new capabilities, has made a resurgence and is now posing an alarming threat to individuals and organisations throughout Southern Asia, indicating an alarming escalation in mobile spying attacks.
Read more »
Subscribe to: Posts (Atom)