The Iru Blog

Iru Team

•

11 min read

Survey Results: The Top Content and Communities for IT & Security Pros

Are you curious where your peers get updates on the latest IT and security news? Or maybe you have an inside scoop on a resource or conference that deserves more recognition? We were curious, too. So, we took the question to our community in a broad survey of professionals - from security experts to technology leaders and admins. The responses gave us great insights into where IT and security practitioners are hanging out online and in-person, including the top:

Reports April 10, 2025

Shwena Kak & Candace Jensen

•

4 min read

Caught in the WebKit: Getting Tangled with CVE-2025-24201

Web browsers are the gateway to the internet, a ubiquitous fixture of every enterprise device—making them a critical point of exposure. When managing your fleet you may ask: Are we aware of the vulnerabilities affecting our users’ browsers? While vulnerability databases are a great place to start, the widespread use of common codebases makes it harder to trace and recognize vulnerabilities that affect multiple products.

Threat Intelligence April 4, 2025

Csaba Fitzl

•

10 min read

Uncovering Apple Vulnerabilities: diskarbitrationd and storagekitd Audit Part 3

Over the past two parts of this series, we’ve explored vulnerabilities in macOS’s diskarbitrationd daemon. In part 1, we explored how an attacker could use it to escape the sandbox or escalate privileges. In part 2, we explored how a directory traversal attack could be used to bypass Transparency, Consent, and Control (TCC) protections. Each of these vulnerabilities highlighted the risks posed by weaknesses in macOS’s system daemons and how attackers could chain them together for even more impact.

Threat Intelligence February 21, 2025

Christopher Lopez

•

16 min read

DPRK DriverEasy & ChromeUpdate Deep Dive

Over the last few months, several Swift applications have been attributed to the North Korea Contagious Interview effort. These applications are presented to victims as part of a fake job interview process. SentinelOne recently published a blog post on “Flexible Ferret” and other related applications including two named ChromeUpdate (which was originally covered by dmpdump in their blog post) and CameraAccess. Moonlock Lab also recently covered the ChromeUpdate and CameraAccess applications in a blog post, which provided an overview of what they do.

Threat Intelligence February 19, 2025

Matt Day

•

4 min read

Vulnerability Management: First Unified Platform to Detect & Remediate on Mac

With attackers exploiting vulnerabilities three times more frequently than last year, managing vulnerabilities across a Mac fleet requires comprehensive visibility and timely action. Today, the Iru team is excited to announce Iru Vulnerability Management, which helps IT and security teams identify and remediate vulnerabilities through a unified workflow.

Product News February 12, 2025

Christopher Lopez

•

9 min read

Banshee Rust Rewrite?

Infostealers targeting macOS are evolving rapidly, making continuous monitoring essential, which our team is always on the lookout for. Many infostealers share similar behaviors aimed at exfiltrating data from compromised systems. In fact, these similarities can make it difficult to distinguish between different infostealers without a deep understanding of what to look for.

Threat Intelligence January 31, 2025

Mike Boylan

•

10 min read

How to Manage Activation Lock: A Guide for Apple Admins

Activation Lock is a theft-deterrent feature found in iOS and iPadOS devices and modern Mac computers (with the Apple T2 Security chip and Apple silicon). When such a device is attempted to be set up after having been erased, it checks with Apple servers to see if Activation Lock is on. If it is, the device requires the user’s Apple Account password before it can be used again (reactivated). This effectively removes the device’s resale value, making it less attractive to thieves.

Thought Leadership January 16, 2025

Christopher Lopez & Nick Zolotko

•

28 min read

Potential Stealer: Purrglar in Progress

Unlike traditional viruses or ransomware, stealers are designed with a singular purpose: to quietly infiltrate systems and exfiltrate sensitive data—often without the victim even realizing it. These malicious programs are highly focused on gathering personal information, usually to be sold or used for further criminal activity.

Threat Intelligence January 16, 2025

Csaba Fitzl

•

18 min read

Uncovering Apple Vulnerabilities: diskarbitrationd and storagekitd Audit Part 2

Iru's Threat Research team recently performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details in this blog series - this is part two.

Threat Intelligence December 12, 2024

Csaba Fitzl

•

20 min read

Uncovering Apple Vulnerabilities: The diskarbitrationd and storagekitd Audit Story Part 1

The Iru team is always looking out for how to help keep your devices secure. In line with that, our Threat Research team performed an audit on the macOS diskarbitrationd and storagekitd system daemons, uncovering several vulnerabilities such as sandbox escapes, local privilege escalations, and TCC bypasses. Our team reported all of them to Apple through their responsible disclosure program, and as these are fixed now, we are releasing the details.

Threat Intelligence November 8, 2024

Adam Kohler & Christopher Lopez

•

23 min read

It’s About The Journey: Fake Cloudflare Authenticator

In order to provide the best possible coverage for Iru EDR, the threat intelligence team conducts threat hunts across various different data feeds. On October 15th, 2024 we came across a suspicious-looking file on VirusTotal named Cloudflare Security Authenticator/cloudflare-auth-tauri. The file had been uploaded from China on that same day, was unsigned, and had the tag for being a dropper. This application as of this writeup had 0 detections on VirusTotal.

Threat Intelligence October 24, 2024

Christopher Lopez

•

15 min read

Another PDF Viewer - Is It Malicious?

For security researchers, sometimes spending time reversing a potential suspicious file does not result in it being malicious. There is always something to learn from these efforts, and sometimes they can result in an interesting story even if it does not result in malware. I considered not writing this up but decided (with some help from friends) to release this as an article that details the process of trying to determine if something is malicious. This is one such story that details a PDF that requires a specific PDF viewer application in order to open and extract an encrypted embedded PDF to display to the user, definitely a little strange.

Threat Intelligence October 3, 2024

Iru Team

•

4 min read

How to Level Up Your Security Education Program

Educating end-users is a core responsibility for security teams. Not only are such education programs required by compliance regimes, but they’re also one of the most effective ways to actually maintain security: Users are now one of the key attack vectors for bad actors. The more they know about the threats and how to respond to them, the better they’ll be able to defend themselves and your organization.

Educational September 27, 2024

Alexandre Morin & Brian Van Peski

•

7 min read

Migrating MDM on iOS and iPadOS Using Return to Service

When you’re migrating from one MDM solution to another, you have to move the devices you’re managing with you. They need to be enrolled in that new solution so you can manage them.

Educational August 27, 2024

Christopher Lopez

•

19 min read

TodoSwift Disguises Malware Download Behind Bitcoin PDF

A signed file named TodoTasks was uploaded to VirusTotal on 2024-07-24. This application shares several behaviors with malware we’ve seen that originated in North Korea (DPRK)—specifically the threat actor known as BlueNoroff—such as KandyKorn and RustBucket; given these commonalities, we believe this new malware—which we’re dubbing TodoSwift—is likely from the same source.

Threat Intelligence August 16, 2024