CyberSecurity news

FlagThis - #zeroclick

Cynthia B@Metacurity //

Predator Spyware Persists Despite US Sanctions Enforcement

Despite US sanctions, Intellexa's Predator spyware continues to operate, adapting to setbacks and surfacing in new locations with innovative techniques to evade detection. Security firm Recorded Future revealed they had linked Intellexa infrastructure to new locations. Their findings suggest Intellexa, also known as the Intellexa Consortium, is actively responding to the challenges posed by sanctions and public exposure and is likely to continue adapting its methods. This highlights the ongoing struggle to effectively curb the proliferation of sophisticated surveillance tools.

Recorded Future's Insikt Group has identified a previously unknown customer in Mozambique, a connection to a Czech entity, and activity linked to an Eastern European country. The Eastern European activity, though brief, suggests possible development or testing of the spyware. The discovery of the Mozambique customer is consistent with the already known high level of Predator activity across Africa. Intellexa has also adopted strategies such as using fake websites, including counterfeit login pages and sites claiming association with conferences, to mask its operations.

Julian-Ferdinand Vögele, a threat researcher with Recorded Future, stated that “Intellexa’s Predator remains active and adaptive, relying on a vast network of vendors, subsidiaries, and other companies.” While Predator activity has declined since sanctions and public exposure, the spyware maker is still finding ways to keep the spyware active and available to customers. The report from Recorded Future warns that "Sanctions and other pressures are likely to drive efforts to increase the complexity of corporate structures, making operations harder to trace and disrupt," emphasizing the importance of continued vigilance and proactive measures to counter the evolving threat posed by Predator.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Metacurity: Customers keep buying Predator spyware despite US sanctions
  • Risky Business Media: Risky Bulletin: Predator spyware alive despite US sanctions
  • cyberscoop.com: Predator spyware activity surfaces in new places with new tricks
Classification:
  • HashTags: #spyware #sanctions #surveillance
  • Company: Intellexa
  • Attacker: Intellexa
  • Product: Predator
  • Feature: Continued Operation
  • Malware: Predator
  • Type: Spyware
  • Severity: Major
Pierluigi Paganini@securityaffairs.com //

Apple Patches Zero-Day Exploited by Paragon Spyware

Apple has released details about a zero-day vulnerability, CVE-2025-43200, that was exploited by Paragon's Graphite spyware to hack at least two journalists' iPhones in Europe. The vulnerability was a zero-click flaw in iMessage, allowing attackers to compromise devices without any user interaction. Apple had quietly patched the flaw in iOS 18.3.1, which was released on February 10, but the details of the vulnerability were not publicized until recently.

The security advisory was updated four months after the initial iOS release to include the zero-day flaw, described as a logic issue when processing a maliciously crafted photo or video shared via an iCloud Link. Apple stated that they were aware of a report that this issue was exploited in an "extremely sophisticated attack against specific targeted individuals." Citizen Lab confirmed that this was the flaw used against Italian journalist Ciro Pellegrino and an unnamed "prominent" European journalist.

Citizen Lab also confirmed that Paragon's Graphite spyware was used to hack the journalists' iPhones. This incident is part of a growing trend of mercenary spyware operators exploiting iOS through silent attack chains. The now-confirmed infections call into question a report by Italian lawmakers, which didn't mention one of the hacked journalists. It remains unclear why Apple did not disclose the existence of the patched flaw until four months after the release of the iOS update, and an Apple spokesperson did not respond to a request for comment seeking clarity.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • infosec.exchange: NEW: Four months after releasing iOS 18.3.1, Apple has published details about a zero-day that it fixed at the time, but did not publicize.
  • Zack Whittaker: Citizen Lab have confirmed two journalists had their phones hacked with Paragon's Graphite spyware, likely by the same customer.
  • securityaffairs.com: Security researchers at Citizen Lab revealed that Paragon’s Graphite spyware can hack fully updated iPhones via zero-click attacks.
  • techcrunch.com: Apple fixes new iPhone zero-day bug used in Paragon spyware hacks
  • The Citizen Lab: Graphite Caught: First Forensic Confirmation of Paragon’s iOS Mercenary Spyware Finds Journalists Targeted - The Citizen Lab
  • infosec.exchange: Researchers found forensic evidence of Paragon's spyware on the iPhones of two journalists. One is Ciro Pellegrino, who works for Fanpage.
  • Zack Whittaker: NEW: Apple has confirmed in a now-updated February security advisory that it fixed a zero-day bug used in an "extremely sophisticated attack."
  • cyberinsider.com: New Zero-Click iMessage Exploit Infected iPhones with Paragon Spyware
  • securityaffairs.com: Apple confirmed that Messages app flaw was actively exploited in the wild
  • The Hacker News: Apple Zero-Click Flaw in Messages Exploited to Spy on Journalists Using Paragon Spyware
  • Help Net Security: iOS zero-click attacks used to deliver Graphite spyware (CVE-2025-43200)
  • Risky.Biz: Risky Bulletin: Predator spyware alive despite US sanctions
  • Threats | CyberScoop: Predator spyware activity surfaces in new places with new tricks
  • Risky Business Media: Predator spyware alive despite US sanctions
  • www.scworld.com: New Predator spyware activity identified
  • cyberscoop.com: The spyware’s developer, Intellexa, has been under pressure due to sanctions and public disclosure, but Recorded Future uncovered fresh activity.
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
  • www.metacurity.com: Customers keep buying Predator spyware despite US sanctions
  • Schneier on Security: Paragon Spyware Used to Spy on European Journalists
  • citizenlab.ca: First forensic confirmation of Paragon's iOS mercenary spyware finds journalists targeted
  • thecyberexpress.com: Apple Patches Flaw Exploited in Zero-click Paragon Spyware Attacks
Classification:
@The DefendOps Diaries //

Millions of Apple AirPlay Devices Hacked Remotely

Millions of Apple AirPlay-enabled devices are at risk due to the discovery of 23 critical vulnerabilities, collectively named "AirBorne." These vulnerabilities, found in Apple's AirPlay protocol and Software Development Kit (SDK), could allow attackers on the same Wi-Fi network to remotely execute code on vulnerable devices. This poses a significant threat, particularly to third-party devices that incorporate AirPlay, such as smart TVs, speakers, and CarPlay systems.

The vulnerabilities stem from flaws in Apple's implementation of the AirPlay protocol and SDK, which is used for streaming media between devices. A successful exploit could lead to zero-click or one-click remote code execution, bypassing access controls, and conducting man-in-the-middle attacks. This could enable attackers to take over devices, access sensitive files, and potentially steal data.

Apple has released patches to address the AirBorne vulnerabilities in its own products, including iPhones, iPads, MacBooks, Apple TVs, and the Vision Pro headset, however devices that use the software from third parties are still at risk. However, the potential for unpatched third-party devices to remain vulnerable for years is a major concern. Cybersecurity experts estimate that tens of millions of devices could be affected, highlighting the far-reaching impact of these newly discovered flaws.

Share: bluesky twitterx--v2 facebook--v1 threads


References :
  • CyberInsider: ‘AirBorne’ Flaws Expose Apple Devices to Zero-Click RCE Attacks
  • WIRED: Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi
  • BleepingComputer: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
  • www.bleepingcomputer.com: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
  • cyberinsider.com: ‘AirBorne’ Flaws Expose Apple Devices to Zero-Click RCE Attacks
  • bsky.app: Oligo security researchers have disclosed over two dozen vulnerabilities in the Apple AirPlay protocol and SDK. Collectively named AirBorne, the vulnerabilities can allow attackers on the same network to run malicious code on any Apple device that supports AirPlay.
  • BleepingComputer: A set of security vulnerabilities in Apple's AirPlay Protocol and AirPlay Software Development Kit (SDK) exposed unpatched third-party and Apple devices to various attacks, including remote code execution.
  • securityonline.info: AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
  • The DefendOps Diaries: Explore AirBorne vulnerabilities in Apple's AirPlay, posing zero-click RCE threats to devices, and learn about mitigation measures.
  • securityaffairs.com: AirBorne flaws can lead to fully hijack Apple devices
  • securityonline.info: AirBorne Exploits: Zero-Click Wormable RCE Hits Apple & IoT Devices
  • BleepingComputer: Mastodon mentions Flaws Expose Apple Devices to Zero-Click RCE Attacks
  • www.oligo.security: Oligo Security blog post on AirBorne vulnerability.
  • www.techradar.com: Millions of Apple AirPlay devices susceptible to 'AirBorne' zero-click RCE attacks, so patch now
  • PCMag UK security: 'AirBorne' Flaw Exposes AirPlay Devices to Hacking: How to Protect Yourself
  • Help Net Security: Vulnerabilities in Apple’s AirPlay Protocol, AirPlay Software Development Kits (SDKs), and the CarPlay Communication Plug-in could allow attackers to compromise AirPlay-enabled devices developed and sold by Apple and by other companies.
  • Blog: New Apple zero-days go ‘AirBorne’
  • bsky.app: Apple 'AirBorne' flaws can lead to zero-click AirPlay RCE attacks
  • www.helpnetsecurity.com: Airplay-enabled devices open to attack via “AirBorne†vulnerabilities
  • Blog: How to find Apple AirPlay devices on your network
  • Risky.Biz: In other news: Marks & Spencer sends staff home after ransomware attack; China accuses US of hacking cryptography provider; AirBorne vulnerabilities impact Apple's AirPlay.
  • Risky Business Media: The French government calls out Russian hacks for the first time, Marks & Spencer sends staff home after a ransomware attack, China accuses America of hacking a major cryptography provider, and AirBorne vulnerabilities impact Apple’s AirPlay.
  • Risky Business Media: Risky Business #789 -- Apple's AirPlay vulns are surprisingly awful
  • The Record: Millions of Apple Airplay-enabled devices can be hacked via Wi-Fi
  • securityaffairs.com: Vulnerabilities in Apple’s AirPlay protocol and SDK exposed Apple and third-party devices to attacks, including remote code execution. Oligo Security found serious flaws, collectively tracked as AirBorne, in Apple’s AirPlay protocol and SDK, affecting Apple and third-party devices. Attackers can exploit the vulnerabilities to perform zero-/one-click RCE, bypass ACLs, read local files, steal data, and […]
  • arstechnica.com: Millions of Apple AirPlay-Enabled Devices Can Be Hacked via Wi-Fi
  • www.scworld.com: Researchers reveal a collection of bugs known as AirBorne that would allow any hacker on the same Wi-Fi network as a third-party AirPlay-enabled device to surreptitiously run their own code on it.
  • securityaffairs.com: Vulnerabilities in Apple’s AirPlay protocol and SDK exposed Apple and third-party devices to attacks, including remote code execution. Oligo Security found serious flaws, collectively tracked as AirBorne, in Apple’s AirPlay protocol and SDK, affecting Apple and third-party devices. Attackers can exploit the vulnerabilities to perform zero-/one-click RCE, bypass ACLs, read local files, steal data, and […]
  • www.pcmag.com: Apple rolled out a fix with iOS 18.4, but third-party AirPlay-compatible devices remain exposed. Researchers at cybersecurity firm Oligo have found major vulnerabilities in Apple's AirPlay protocol that allow hackers to breach compatible devices on the same Wi-Fi network.
  • Malwarebytes: Apple AirPlay SDK devices at risk of takeover—make sure you update
  • hackread.com: Billions of Apple Devices at Risk from “AirBorne†AirPlay Vulnerabilities
  • PhoneArena - Articles: Millions of AirPlay-enabled devices are at risk of being attacked by "AirBorne" security threat
  • The Hacker News: Wormable AirPlay Flaws Enable Zero-Click RCE on Apple Devices via Public Wi-Fi
Classification:
  • HashTags: #AirPlay #ZeroClickRCE #AppleSecurity
  • Company: Apple
  • Target: Apple and third-party devices
  • Attacker: Oligo Security
  • Product: AirPlay
  • Feature: AirPlay Protocol
  • Malware: AirBorne
  • Type: 0Day
  • Severity: Critical

Posts

Blogs

Research Tools