Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts demonstrate a post-exploitation tampering technique to display Fake Lockdown mode

Researchers devised a new post-exploitation tampering technique to trick users into believing that their iPhone is in Lockdown Mode. Researchers from Jamf Threat Labs devised a new post-exploit tampering technique to trick users that their compromised iPhone is running in Lockdown Mode while they are performing malicious activities. The researchers pointed out that the issue […]

Fake Lockdown Mode

Researchers devised a new post-exploitation tampering technique to trick users into believing that their iPhone is in Lockdown Mode.

Researchers from Jamf Threat Labs devised a new post-exploit tampering technique to trick users that their compromised iPhone is running in Lockdown Mode while they are performing malicious activities.

The researchers pointed out that the issue is not a flaw in the feature or an iOS vulnerability. A malware. The good news is that this technique has not yet been observed in the wild.

“While Lockdown Mode effectively reduces the attack surface on an iOS device, it’s important to remember that once a device is already compromised, Lockdown Mode doesn’t stop malware from operating.” reads the post published by the researchers. “Lockdown Mode doesn’t function as antivirus software, it doesn’t detect existing infections, and it doesn’t affect the ability to spy on an already compromised device.”

The Lockdown Mode was first introduced by Apple in September 2022 to protect its users against “highly targeted cyberattacks.

However, if the iPhone was previously compromised, the security feature cannot block the malware from running in the background, whether the user activates Lockdown Mode or not

Upon turning on the feature in the Settings app, the method -[PUILockdownModeController setLockdownModeGloballyEnabled:] is triggered. The -[PUILockdownModeController setLockdownModeGloballyEnabled:] is an objective-C method, the researchers exmpained that it is possible to use the method_exchangeImplementations Method Hooking technique to replace its content.

The researchers’ approach is simple, when the user activates Lockdown Mode, a file named /fakelockdownmode_on is generated as an indicator, triggering a userspace reboot. The researchers also intercepted other functions, including -[PUILockdownModeController lockdownModeEnabled()], to simulate the presence of this file.

The device did not reboot and allowed the researchers to inject code to maintain adaptable control over the Lockdown Mode. The researchers pointed out that even malware lacking a persistence mechanism can persistently run and spy on the user.

Fake Lockdown Mode

An attacker could also manipulate the Lockdown Mode on the Safari web browser allowing to view PDF files, which is not possible when the security feature is enabled.

The researchers published a video PoC to show how the technique works. A user activates LockdownMode in Settings, but the feature is not activated because it is still possible to view PDF files in Safari.

In August 2023, Jamf Threat Labs researchers developed a post-exploit persistence technique on iOS 16 that trick victims into believing that the device is in functional Airplane Mode. In reality, the researchers plant an artificial Airplane Mode that modifies the UI to display Airplane Mode icons and cuts internet connection to all apps except the rogue attacker’s application. Using this trick, the attacker can maintain access to the mobile phone even when the user believes it is offline. The researchers pointed out that this technique has not yet been used in attacks in the wild.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hackingApple)