New iShutdown method exposes hidden spyware on iPhones

Jan 18 2024

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that’s your trusty Parka coat in the blizzard of cybercrime ❄️☃️????⛷️????️????????⛸️????️

 Today’s hottest cybersecurity news stories:

  • ???? New iShutdown method exposes hidden spyware on iPhones ????

  • ???? Feds: AndroxGh0st botnet targets AWS, Azure, Office 365 ????‍????

  • ???? The future of Point of Sale devices is Android but scammers lurk ????

Ring, Ring, Ring & It’s iShutdown ????????????

???? Breaking Cyber News: Unveiling iShutdown – Your iOS Spyware Defender! ????????️

Researchers have just introduced iShutdown, a game-changing method to detect notorious spyware (think Pegasus, Reign, and Predator) on Apple iOS devices. ????????️‍♂️

???? Behind the Scenes:

Kaspersky's deep dive into compromised iPhones revealed a crucial breadcrumb trail – the "Shutdown.log" file. This file, tucked away on every iOS device, spills the beans on reboot events and spyware footprints. ????✨

???? Quick and Efficient:

Forget lengthy procedures! Retrieving the Shutdown.log is a breeze compared to traditional methods. Security guru Maher Yamout highlights its simplicity and accessibility. Plus, this log stores entries for years, making it a goldmine for forensic analysis! ????️‍♀️????

???? Spyware Exposed: Kaspersky's investigation uncovers reboot delays caused by "sticky" spyware processes. The log entries point to a common filesystem path, acting as a red flag for compromise. ????????

???? User Involvement:

Here's the catch – iShutdown's effectiveness relies on frequent user reboots. The more, the better! ⚠️????

????️ Tools for You:

Kaspersky generously shares Python scripts for extracting and analysing Shutdown.log, empowering tech enthusiasts to stay one step ahead in the cyber game. ????????

???? MacOS Alert:

Meanwhile, macOS info-stealers like KeySteal and Atomic are evolving rapidly, outsmarting Apple's built-in antivirus, XProtect. Security expert Phil Stokes advises against relying solely on signatures in the ever-changing threat landscape. ????????

???? Stay Informed, Stay Secure:

Dive into the nitty-gritty details and fortify your digital fortress against evolving cyber threats! ????️????

Learn AI in 5 minutes a day. We'll teach you how to save time and earn more with AI. Join 400,000+ free daily readers for trending tools, productivity boosting prompts, the latest news, and more.

What’s the matter? You look like you’ve seen a Gh0st ????????????

???? Alert: AndroxGh0st Malware Unleashes Threatening Botnet! ????????

???? A major cybersecurity warning from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI: AndroxGh0st malware is on the prowl, creating a dangerous botnet for "victim identification and exploitation in target networks." ????????

???? About AndroxGh0st:

This Python-based malware, discovered by Lacework in December 2022, has spawned nefarious siblings like AlienFox, GreenBot, Legion, and Predator. ????

???? Capabilities:

AndroxGh0st infiltrates servers with known security flaws, accessing Laravel environment files to snatch credentials for big players like AWS, Microsoft Office 365, SendGrid, and Twilio. It exploits vulnerabilities like PHPUnit, Apache HTTP Server, and Laravel Framework. ????️‍♂️????

????️ Weapons in its Arsenal:

Lacework warns that AndroxGh0st boasts features for SMTP abuse, scanning, exploiting exposed credentials and APIs, and deploying web shells. For AWS, it not only scans for keys but can generate them for brute-force attacks. ????????

???? Botnet Power:

Compromised AWS credentials lead to new users, policies, and even setting up malicious AWS instances for more scanning. AndroxGh0st is a persistent threat, capable of downloading additional payloads and maintaining access to compromised systems. ????????

???? Cloud Threat Landscape:

The alert coincides with the emergence of FBot, a related tool revealed by SentinelOne. The cloud threat landscape is evolving, with attackers using tools like AlienFox and Legion, creating a complex ecosystem. ????????

???? Botnet Scanning Spike:

NETSCOUT reports a significant increase in botnet scanning activity since mid-November 2023, peaking at almost 1.3 million devices on January 5, 2024. The source IPs are linked to the U.S., China, Vietnam, Taiwan, and Russia. ????????

???? Analysis:

Attackers leverage cheap or free cloud servers to create botnet launch pads, ensuring anonymity and low maintenance overhead. The cybersecurity community is on high alert! ????????

???? Stay Secure, Stay Informed:

Dive into the details, fortify your defences, and keep a close eye on the evolving cloud threat landscape. Your digital safety is our priority! ????

???? Catch of the Day!! ????????????

???? The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya ???? Let us tell who’s not fooling around though; that’s the Crüe ???? at Motley Fool. You’d be a fool (alright, enough already! ????) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! ???? Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets ???? (LINK)


???? Wander: Find your happy place. Cue Happy Gilmore flashback ????️⛳????????️ Mmmm Happy Place… ???? So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway ????️???? (LINK)


???? Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts ???????? (Great movie, to be fair ????). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty ????). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho ???? And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! ???? (LINK)

These aren’t the Androids you’re looking for ????

???? Breaking News: Android-Based POS Devices Vulnerable ????????

Brace yourselves for a crucial cybersecurity update! ???????? Banking companies globally are ditching custom Point of Sale (POS) devices for the robust Android operating system. The era of colourful touchscreens is here, but it comes with risks! ????????

????️ Android's Secure Facade:

While Android is known for its security, the STM Cyber R&D team discovered vulnerabilities in POS devices from PAX Technology, rapidly deployed in Poland. Here's the lowdown on six CVE-assigned vulnerabilities:

⏳ Application Sandbox:

Android's heavy sandboxing prevents apps from interfering, but certain high-privileged apps running as root users pose a risk. If attackers escalate to root, they can tamper with payment operations, though card information remains encrypted in a Secure Processor (SP).

Attack Vectors: STM Cyber explored two attack vectors:

  • Local Code Execution: Requires physical access, but an interesting vector for POS devices.

  • PAX A920 was found vulnerable to CVE-2023-4818, while A920Pro and A50 faced CVE-2023-42134 and CVE-2023-42135.

  • Privilege Escalation: CVE-2023-42136 allows escalation from any user to the system account, broadening the attack surface.

???? CVE-2023-42133: (Reserved for now) ????

???? CVE-2023-42134:

  • Local code execution as root via kernel parameter injection in fastboot for PAX A920Pro/PAX A50. CVSS Score: 7.6.

  • Impact: Local code execution as root.

  • Vulnerable version: PayDroid 8.1.0_Sagittarius_11.1.50_20230314. CERT.PL Reference

???? Resolution: A fix is confirmed in PayDroid 8.1.0_Sagittarius_V02.9.99T9_20230919. ????

???? Takeaway: While Android-based POS devices offer convenience, stay vigilant! Ensure your systems are up-to-date to fend off potential exploits. For detailed technical insights, check out the CERT.PL reference.

????️ Secure Your Transactions, Stay Informed: Dive into the details and fortify your cybersecurity measures to keep your transactions safe! ????????

????️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Wealthy Primate: Want to earn over $100k a year in IT or cybersecurity? 20 year veteran 'Wealthy Primate' might be able to help you climb that tree ???????? with his stick and banana approach ????????

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles