- Apple -
Last update 09.10.2017 13:46:27
Introduction List Kategorie Subcategory 0 1 2 3 4 5 6 7 8
Apple Patches Dozens of Vulnerabilities Across Product Lines
31.3.2018 securityweek Apple
Apple this week released a new set of security patches to address tens of vulnerabilities impacting macOS, iOS, watchOS, and tvOS, as well as Windows software.
Over 40 security bugs were fixed with the release of iOS 11.3 on Thursday. The bugs affect iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.
WebKit was affected the most, with a total of 19 issues resolved. Components such as CoreFoundation, CoreText, File System Events, iCloud Drive, Kernel, Mail, PluginKit, Safari, Security, and Storage were impacted as well.
Exploitation of these flaws could result in an attacker being able to run arbitrary code on the vulnerable device, in malicious applications elevating their privileges, user interface spoofing, data exfiltration, interception of encrypted email contents, denial of service, keylogging, the disabling of features on the device, or in causing device restarts.
Multiple memory corruption issues discovered in WebKit could lead to arbitrary code execution when processing maliciously crafted web content. The bugs, 16 in total, were addressed with improved memory handling.
Apple resolved 35 vulnerabilities with the release of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan. The issues impact OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.3.
Affected components include Admin Framework, APFS, CoreFoundation, CoreText, CoreTypes, Disk Images, Disk Management, File System Events, iCloud Drive, Intel Graphics Driver, Kernel, LaunchServices, Mail, Notes, PluginKit, Security, System Preferences, and Terminal.
Exploitation of these issues could lead to exposed passwords, disclosed user information, elevation of privilege, denial of service, arbitrary code execution, reading of restricted memory, code signing enforcement bypass, interception and exfiltration of encrypted email contents, arbitrary command execution spoofing, and keylogging.
Released on Thursday for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4, Safari 11.1 patches 23 flaws that could lead to address bar spoofing, exfiltration of autofilled data without explicit user interaction, arbitrary code execution, cross-site scripting, ASSERT failure, denial of service, and websites exfiltrating data cross-origin.
Of the 23 vulnerabilities, 2 were found in Safari, 1 in Safari Login AutoFill, while the remaining 20 impact WebKit.
A total of 28 bugs were resolved with the release of tvOS 11.3, impacting Apple TV 4K and Apple TV (4th generation). Affected components include WebKit, Kernel, CoreFoundation, CoreText, File System Events, NSURLSession, Quick Look, Security, and System Preferences.
watchOS 4.3 fixes 22 vulnerabilities in CoreFoundation, CoreText, File System Events, Kernel, NSURLSession, Quick Look, Security, System Preferences, and WebKit. All Apple Watch models are impacted by the bugs.
The tech giant also addressed multiple issues in LLVM with the release of Xcode 9.3. The bugs impact macOS High Sierra 10.13.2 or later.
iCloud for Windows 7.4 patches 20 vulnerabilities, 19 of which impact WebKit, the same as iTunes 12.7.4 for Windows does. The bugs could lead to arbitrary code execution, elevation of privileges, ASSERT failure, denial of service, or malicious websites exfiltrating data cross-origin.
macOS High Sierra Logs External Volume Passwords in Plaintext
30.3.2018 securityweek Apple
In macOS High Sierra, the passwords used for Apple File System (APFS)-encrypted external drives are logged and kept in on-disk log files, a security researcher has discovered.
The APFS file system was introduced by Apple with the release of macOS High Sierra and is automatically applied to the startup volume when the platform High Sierra is installed on a computer with a solid-state drive (SSD).
According to Apple, APFS provides strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.
The newly discovered vulnerability, Sarah Edwards reveals, impacts macOS 10.13 platform versions. Initially found when creating a new APFS volume, the bug appears to occur when encrypting previously created but unencrypted volumes as well.
What the expert observed was that the password used for a newly created APFS-formatted FileVault Encrypted USB drive via Disk Utility could be found in unified logs in plaintext.
“The newfs_apfs command can take a passphrase as a parameter using the mostly undocumented “-S” flag. It is not documented in the man page. However when run without parameters, it will show it,” Edwards notes.
The vulnerability was initially discovered on a system running macOS High Sierra 10.13.1. To reproduce it, one would have to create a “clean” flash drive using Disk Utility.app.
The researcher formatted the drive “Mac OS Extended (Journaled),” but the issue appears with other base formats as well.
Next, one would have to create an Encrypted APFS volume on the drive, using the menu option “Erase” and wait for the process to complete.
Keeping an eye on the unified logs in the Terminal while the operation is being performed reveals the selected password in plaintext.
The issue appears to have been fixed in High Sierra 10.13.2, but only for newly created volumes. Thus, the vulnerability can still be triggered when encrypting an already existing unencrypted APFS volume in macOS 10.13.3, the researcher says.
By exploiting this issue, an attacker could view the encryption password of encrypted APFS external volumes on USB drives, portable hard disks, and other external drives.
In October last year, a developer in Brazil discovered that macOS High Sierra leaked the passwords for encrypted APFS volumes via the password hint. The developer discovered the bug after using the Disk Utility to add a new encrypted APFS volume to the container.
Apple Blocks Sites From Abusing HSTS Security Standard to Track Users
23.3.2018 thehackernews Apple
If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a 'supercookie' to surreptitiously track users of almost every modern web browser online without their knowledge even when they use "private browsing."
Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after discovering that theoretical attacks demonstrated in 2015 were recently deployed in the wild against Safari users.
HSTS—HTTP Strict Transport Security—is a great feature that allows websites to automatically redirects user's web traffic to secure page connections over HTTPS if the user accidentally opens an insecure URL and then remembers to route that user to the secure connection always.
Since HSTS does not allow websites to store any information/value on users web browser except remembering the redirect information about turning it on/off for future use, using this information, someone interested in tracking web users can create a so-called supercookie that can then be read by cross-site tracking servers to mark users across websites.
Here's How HSTS-Based Tracking Works:
To understand how HSTS supercookie tracking works, here's a simple example:
To track each user, sites assign a unique random number to each visitor, for example, 909090, where 32 character binary conversion for 909090 is 00000000000011011101111100100010.
To set this binary number for a specific user, the site sets HSTS policy for its 32 subdomains (tr01.example.com, tr02.example.com......and tr32.example.com) accordingly, where if HSTS for a subdomain is enabled then the value is 1 and if not then the value is 0.
Now each time the user visits the same website, it silently opens invisible pixels from 32 of its subdomains in the background that represent the bits in the binary number, signalling the server which subdomains are opened via HTTPS (1) and which via HTTP (zero).
Voila! Combining the above value reveals the user's unique binary value to the server, helping websites/advertisers to mark users across sites.
However, Apple has now added two mitigations to its Safari's WebKit engine that addresses both sides of the attack: where tracking identifiers are created, and the subsequent use of invisible pixels to track users.
Mitigation One addresses the super cookie-setting problem, where attackers use long URLs that encode the digits in subdomains of the main domain name and the practice of setting HSTS across a wide range of sub-domains at once.
Safari will now limit the HSTS state to either the loaded Hostname, or the Top Level Domain plus one (TLD+1), and "WebKit also caps the number of redirects that can be chained together, which places an upper bound on the number of bits that can be set, even if the latency was judged to be acceptable."
"This prevents trackers from efficiently setting HSTS across large numbers of different bits; instead, they must individually visit each domain representing an active bit in the tracking identifier," says Brent Fulgham, a developer who works on Safari WebKit engine.
"While content providers and advertisers may judge that the latency introduced by a single redirect through one origin to set many bits is imperceptible to a user, requiring redirects to 32 or more domains to set the bits of the identifier would be perceptible to the user and thus unacceptable to them and content providers."
In Mitigation Two, Safari ignores HSTS State for Subresource Requests to Blocked Domains, where WebKit blocks things like invisible tracking pixels from forcing an HSTS redirect, causing HSTS supercookies to become a bit string of only zeroes.
However, Apple does not name any individual, organisation, or any advertising firm that was using HSTS supercookie tracking to target Safari users.
Apple Addresses HSTS User Tracking in WebKit
21.3.2018 securityweek Apple
Apple has added new protections to the WebKit framework to prevent possible abuse of the HTTP Strict Transport Security (HSTS) security standard to track users.
HSTS offers a mechanism through which web sites declare themselves accessible only via secure connections and direct browsers to where that secure version resides. Basically, when a user attempts to connect to the insecure version of a website, HSTS forces the browser to go to the HTTPS version of the site instead.
“This is a great feature that prevents a simple error from placing users in a dangerous state, such as performing financial transactions over an unauthenticated connection,” WebKit software engineer Brent Fulgham points out.
However, because HSTS tells web browsers to remember when redirected to a secure location and to automatically go there in the future, a “super cookie” can be created, and it can be read by cross-site trackers, Fulgham says.
An attacker could leverage the user’s HSTS cache to store one bit of information on the device. Through registering a large number of domains and forcing the loading of resources from controlled subset of domains, the attacker “can create a large enough vector of bits to uniquely represent each site visitor.”
The issue is described in the HSTS specs: “it is possible for those who control one or more HSTS Hosts to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through cleverly constructed and loaded web resources, causing the UA to send queries to (variations of) the encoded domain names.”
According to Fulgham, mitigating such tracking attacks isn’t easy, as it requires balancing security and privacy goals. However, because the privacy risks of HSTS have been presented only as a theoretical tracking vector but evidence of actual malicious abuse of the protocol hasn’t been provided yet, browsers would honour all HSTS instructions provided by sites.
The engineer also reveals that Apple recently became aware that this theoretical attack has started being deployed against Safari users. This prompted the tech giant to create a solution to both protect secure web traffic and mitigate tracking.
Because the HSTS exploit requires creating an initial tracking identifier and then reading it, Apple proposes mitigations for both sides of the attack.
On the one hand, Apple revised the network stack to only permit HSTS state to be set for the loaded hostname or the Top Level Domain + 1. Thus, trackers can no longer efficiently set HSTS across large numbers of different bits, but need to individually visit each domain that has an active bit in the tracking identifier. WebKit also caps the number of redirects that can be chained together, thus limiting the number of bits that can be set.
On the other hand, Apple also modified WebKit to ignore HSTS upgrade requests (and use the original URL) when dynamic HSTS results in an insecure third-party subresource loaded from a domain with blocked cookies being upgraded to an authenticated connection.
“Telemetry gathered during internal regression testing, our public seeds, and the final public software release indicates that the two mitigations described above successfully prevented the creation and reading of HSTS super cookies while not regressing the security goals of first party content. We believe them to be consistent with best practices, and to maintain the important security protections provided by HSTS,” Fulgham concludes.
Mac Software Mines Cryptocurrency in Exchange for Free Access to Premium Account
13.3.2018 thehackernews Apple
Nothing comes for free, especially online.
Would you be okay with allowing a few paid services to mine cryptocurrencies using your system instead of paying the subscription fee?
Most free websites and services often rely on advertising revenue to survive, but now there is a new way to make money—using customers’ computer to generate virtual currencies.
It was found that a scheduling app, dubbed Calendar 2, was embracing cryptocurrency mining in exchange for free access to its app premium features, but the developer has to take it down from the Apple App Store following reports that it's not working as intended.
Cryptocurrency mining is not a new concept, but the technology has recently exploded after hackers found it a great way to make millions of dollars by hijacking computers to secretly perform cryptocurrency mining in the background without users' knowledge or consent.
Due to this cryptocurrency mining has emerged as one of the biggest threats in recent months, raising negative sentiments towards this alternative revenue scheme.
However, it seems that Apple has no problem with this alternative if app developers take user's consent to mine cryptocurrencies.
Developed by Qbix, Calendar 2 includes more features than the regular Calendar app that comes bundled with macOS, and cost $0.99 per month or $17.99 one-time fees via in-app purchases.
However, the app recently included a default feature that unlocks 'advanced' paid features of Calendar 2 by allowing the app to mine the digital currency known as Monero (XMR) for its developer in the background.
But unfortunately, the app contains two serious bugs: one that kept the Monero miner running, even if users tried to opt-out of the default setting, and a second issue that caused the miner to consume more CPU duty cycle than originally intended.
"It ate 200% CPU until I found it and killed it. I didn't expect a miner infection from an App Store vendor. Wow. It runs the xmr-stak Monero miner," one user on Twitter reported.
In response to the reports, Qbix founder Gregory Magarshak acknowledged the issues and decided to remove the mining function from his app, citing some issues with the miner's source code, the feature's buggy launch and a personal dislike for "proof of work" computing.
Even though the miner is removed from Calendar 2, it's unclear whether the cryptocurrency mining within apps breaches App Store terms of service, as Calendar 2's method of openly embracing mining in exchange of paid services is new to the Mac App Store.
Apple Moves iCloud Data and Encryption Keys for Chinese Users to China
2.3.2018 thehackernews Apple
Apple has finally agreed to open a new Chinese data center next month to comply with the country's latest controversial data protection law.
Apple will now move the cryptographic keys of its Chinese iCloud users in data centers run by a state-owned company called Cloud Big Data Industrial Development Co, despite concerns from human rights activists.
In 2017, China passed a Cybersecurity Law that requires "critical information infrastructure operators" to store Chinese users' data within the country's borders, which likely forced Apple to partner with the new Chinese data center.
And the icing on the cake is that Chinese government already has legislation called National Security Law, passed in 2015, which gives police the authority to demand companies help them bypass encryption or other security tools to access personal data.
This is the first time when Apple is going to store encryption keys required to unlock iCloud accounts of its users outside the United States.
In theory, Chinese law enforcement agencies won't have to ask US courts for compelling Apple to give them access to the Chinese users’ data.
Instead, they'll simply use their legal system to demand access to cryptographic keys required to unlock iCloud accounts stored within their nation, making it far easier to access users’ data, such as messages, emails, and photos.
However, Apple has said the company alone would have access to the iCloud encryption keys and that Chinese authorities will have no backdoor into its data troves.
Apple said the company had not given any of its customers account information to Chinese authorities despite receiving 176 requests from 2013 to 2017, Reuters reported, though all requests were made before the new cybersecurity laws took effect.
If Apple thinks it would comply with one law, i.e., storing users data in China, but could stand without complying with other stringent Chinese regulations, then the company should reconsider its decision.
The company has severely been implementing various aspects of Chinese laws in recent months for its regional operations in the most populated country.
Last year, Apple controversially removed VPN apps from its official App Store in China to comply with Chinese cyberspace regulations, making it harder for internet users to bypass its Great Firewall.
Earlier last year, Apple removed the New York Times (NYT) app from its Chinese App Store because the app was in "violation of local regulations."
Israeli mobile forensics firm Cellebrite can unlock every iPhone device on the market
27.7.2018 securityaffairs Apple
The Israeli mobile forensics firm Cellebrite has designed a technology that allows it to unlock almost any iPhone, including the latest iPhone X.
We have debated for a long time the legal dispute between Apple and the FBI for unlocking the San Bernardino shooter’s iPhone 5c.
The tech giant refused to help the US authorities to unlock the mobile device and the FBI paid over a million dollar to a third-party company to access data contained in the San Bernardino’s shooter’s iPhone.
Such kind of dispute would not happen in the future, the Israeli mobile forensics firm Cellebrite has designed a technology that allows it to unlock almost any iPhone, including the latest iPhone X.
The Israeli mobile forensics firm Cellebrite that is one of the leading companies in the world in the field of digital forensics. The company already works with the principal law enforcement and intelligence agencies worldwide.
Cellebrite provides the FBI with decryption technology as part of a contract signed in 2013, its technology allows investigators to extract information from mobile devices.
The company’s Advanced Unlocking and Extraction Services could be used to unlock every iPhone running iOS 11 and older versions.
“Cellebrite, a Petah Tikva, Israel-based vendor that’s become the U.S. government’s company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11.” reads a post published by Forbes.
“That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.”
Cellebrite says it advanced services can hack into “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.”
According to Forbes, anonymous sources confirmed that Cellebrite could also unlock the iPhone 8, and likely the iPhone X.
“a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.” continues Forbes.
Law enforcement agencies that need to unlock a device (iOS or Android) simply need to send it to the company Labs where a pool of experts will do the job, the service costs as little as $1,500 per unlock.
“In its labs, the company then uses whatever secret exploits it has to crack the lock and either hands it back to investigators so they can take data from the device, or Cellebrite can do that for them. As Forbes previously detailed, this can be relatively inexpensive, costing as little as $1,500 per unlock.” states Forbes.
It also appears the FBI has already tried out Cellebrite service on the latest Apple devices, the iPhone X. According to a warrant viewed by Forbes related to a suspect in an arms trafficking (Abdulmajid Saidi), his iPhone X was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5.
Cellebrite hasn’t commented on the latest report.
Phone-Cracking Firm Found a Way to Unlock Any iPhone Model
27.2.2018 thehackernews Apple
Remember the infamous encryption fight between Apple and the FBI for unlocking an iPhone belonging to a terrorist behind the San Bernardino mass shooting that took place two years ago?
After Apple refused to help the feds access data on the locked iPhone, the FBI eventually paid over a million dollar to a third-party company for unlocking the shooter's iPhone 5c.
Now, it appears that the federal agency will not have to fight Apple over unlocking iPhones since the Israeli mobile forensics firm Cellebrite has reportedly figured out a way to unlock almost any iPhone in the market, including the latest iPhone X.
Cellebrite, a major security contractor to the United States law enforcement agencies, claims to have a new hacking tool for unlocking pretty much every iPhone running iOS 11 and older versions, Forbes reports.
In its own literature [PDF] "Advanced Unlocking and Extraction Services," Cellebrite says its services can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11."
Citing anonymous sources, the publication reported that Cellebrite could also unlock the iPhone 8, and since the security across Apple's newest iPhone devices worked in much the same way, the company can break the security of the iPhone X as well.
Besides Apple's devices, Cellebrite can also break into Google Android-powered smartphones from Samsung (Galaxy and Note series), Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE and many more.
"Cellebrite Advanced Unlocking Services is the industry's only solution for overcoming many types of complex locks on market-leading devices," Cellebrite literature explains.
"This can determine or disable the PIN, pattern, password screen locks or passcodes on the latest Apple iOS and Google Android devices."
Last November, the Department of Homeland Security reportedly managed to get into an iPhone X owned by a suspect in an arms trafficking case, probably with the help of a Cellebrite-trained specialist.
However, a warrant discovered by Forbes does not mention the method or technology used by law enforcement to hack into the iPhone X.
Founded in 1999, Cellebrite provides digital forensics tools and software for mobile phones to its customers, which also includes the US government.
One of its main products is the Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones.
While the Cellebrite's iPhone hacking tool has the potential to affect hundreds of millions of Apple users, Apple also rolls out software updates and patches on a regular basis.
So users are advised to keep their devices up-to-date, as its hard to say if the company's hacks work on the latest updates of iOS 11.
Neither Cellebrite nor Apple immediately commented on the latest report.
Coldroot RAT cross-platform malware targets MacOS without being detected
21.2.2018 securityweek Apple
The former NSA hacker and malware researcher Patrick Wardle is back, this time he spotted a new remote access Trojan dubbed Coldroot RAT.
The Coldroot RAT is a cross-platform that is targeting MacOS systems and the bad news is that AV software is not able to detect it. The malware acts as a keylogger on MacOS systems prior to the OS High Sierra allowing it to capture user passwords and credentials.
Wardle published a detailed analysis of the RAT that is currently available for sale on the underground markets since Jan. 1, 2017, while some versions of the Coldroot RAT code have also been available on GitHub for nearly two years.
The expert explained that the RAT masquerades as an Apple audio driver “com.apple.audio.driver2.app” that when clicked on displays an authentication prompt requesting the victim to provide its MacOS credentials.
“an unflagged file named com.apple.audio.driver2.app caught my eye. It was recently submitted for a scan, in early January. ” wrote Wardle.
“Though currently no AV-engine on VirusTotal flags this application as malicious, the fact it contained a reference to (TCC.db) warranted a closer look.”
Once obtained the credentials the RAT modifies the privacy TCC.db database. The researchers analyzed a sample that once installed attempts to provide the malware with accessibility rights (so that it may perform system-wide keylogging) by creating the
/private/var/db/.AccessibilityAPIEnabled
file and then modifies the privacy database TCC.db that keep track of the applications installed on the machine and the related level of accessibility rights.
“Think, (ab)using AppleScript, sending simulated mouse events via core graphics, or directly interacting with the file system. An example of the latter was DropBox, which directly modified macOS’s ‘privacy database’ (TCC.db) which contains the list of applications that are afforded ‘accessibility’ rights.” Wardle wrote.
“With such rights, applications can then interact with system UIs, other applications, and even intercept key events (i.e. keylogging). By directly modifying the database, one could avoid the obnoxious system alert that is normally presented to the user: ”
Patrick Wardle explained that the RAT gain persistence by installing itself as a launch daemon.
The researcher highlighted that systems running MacOS High Sierra protect TCC.db via System Integrity Protection (SIP).
“Thought this script is executed as root, on newer versions of macOS (Sierra+) it will fail as the privacy database is now protected by SIP,” Wardle added.
The static analysis of the malware revealed the commands it supports that are:
Repeating this process for the other commands reveals the following capabilities:
file/directory list
file/directory rename
file/directory delete
process list
process execute
process kill
download
upload
get active window
remote desktop
shutdown
Patrick Wardle believes that author of the RAT is “Coldzer0” that advertised the malicious code for sale offering the possibility to customize it.
“Besides revealing the likely identify of the malware author, this turns up:
source code for an old (incomplete) version of Coldroot
an informative demo video of the malware
The source code, though (as noted), is both old and incomplete – provides some confirmation of our analysis. For example, the PacketTypes.pas file contains information about the malware’s protocol and tasking commands: “
Apple Fixes Indian Character Crash Bug in iOS, macOS
20.2.2018 securityweek Apple
Updates released by Apple on Monday for iOS, macOS, tvOS and watchOS patch a flaw that causes applications to crash when rendering specific strings of Indian characters.
Someone noticed recently that displaying a string written in India’s Telugu language (జ్ఞా) caused many apps on iOS and macOS to crash. The list of impacted apps includes Twitter, Firefox, Chrome, Safari, WhatsApp, Mail, Thunderbird, Instagram, Slack and others.
Apple became aware of the issue after news of the bug started to spread on social media networks and trolls and pranksters started exploiting it. One individual apparently showed how he could crash the Uber app on drivers’ phones by setting his name to the problematic string and requesting a ride.
SecurityWeek can confirm that conducting a search for the string in any web browser on macOS causes the applications to immediately crash. Attempting to send or receive an email using Mail or Thunderbird has the same effect.
While initially only a certain Telugu string appeared to work, some later noticed that a specific string using characters of India’s Bengali language also caused apps on iOS and macOS to crash. There are several theories on what may be causing the crash, including from Mozilla research engineer Manish Goregaokar and Philippe Verdy of the Unicode Consortium.
Apple tracks the vulnerability as CVE-2018-4124 and describes it as a heap corruption triggered when processing a maliciously crafted string. “A memory corruption issue was addressed through improved input validation,” Apple said.
The company patched the flaw on Monday with the release of macOS High Sierra 10.13.3 Supplemental Update, iOS 11.2.6, watchOS 4.2.3 and tvOS 11.2.6. watchOS and tvOS are affected due to the fact that they are based on iOS. The latest operating system updates don’t fix any other vulnerabilities.
An APFS Filesystem flaw could lead macOS losing data under certain conditions
19.2.2018 securityaffairs Apple
The Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.
A few days ago a ‘text bomb‘ bug was reported for Apple iOS and macOS apps, the issue can crash any Apple iPhone, iPad Or Mac.
Now the Apple expert Mike Bombich discovered an APFS Filesystem vulnerability that could lead macOS losing data under certain conditions.
The bug ties the way the operating system handles APFS sparse disk images formatted in Apple filesystem format APFS.
An Apple Disk Image is a disk image commonly used by the macOS operating system is “mounted” as a volume within the Finder. It contains the entire contents and structure of a disk volume, such as USB, CD, DVD, hard disk drive, or network share.
Disk images are commonly used by several Mac apps, for example for backup applications or disk cloning.
The expert discovered that APFS sparse disk images don’t properly manage the volume of the “free disk space” from the sparse disk image, the OS doesn’t correctly report “free disk space” respect the real “free disk space” value.
“Earlier this week I noticed that an APFS-formatted sparsebundle disk image volume showed ample free space, despite that the underlying disk was completely full. Curious, I copied a video file to the disk image volume to see what would happen. The whole file copied without error! I opened the file, verified that the video played back start to finish, checksummed the file – as far as I could tell, the file was intact and whole on the disk image.” wrote Mike Bombich. “When I unmounted and remounted the disk image, however, the video was corrupted. If you’ve ever lost data, you know the kick-in-the-gut feeling that would have ensued. Thankfully, I was just running some tests and the file that disappeared was just test data. Taking a closer look, I discovered two bugs in macOS’s “diskimages-helper” service that lead to this result.”
Bombich explained that data are written into the void because the OS doesn’t warn users that there is no enough space on the underlying hard drive to contain his data.
As described by the expert, the misleading data are still accessible for a short period after the write operation, unfortunately after the next system reboot exceeding files become corrupted and inaccessible.
Bombich is the author of the Mac backup software Carbon Copy Cloner, according to statistics from his software no many users are affected. The expert says that only 7% of all Carbon Copy Cloner users store backups as sparse disk image files and that only 12% of these 7% use APFS-formatted disk images.
The Carbon Copy Cloner software will not support AFPS-formatted sparse disk images until Apple addresses the vulnerability reported by Bombich.
Below a video PoC of the flaw.
“Until Apple resolves this disk images bug, we strongly recommend that people avoid using APFS-formatted sparse disk images for any purpose with any application.” concluded the expert.
A Single-Character Message Can Crash Any Apple iPhone, iPad Or Mac
16.2.2018 thehackernews Apple
Only a single character can crash your iPhone and block access to the Messaging app in iOS as well as popular apps like WhatsApp, Facebook Messenger, Outlook for iOS, and Gmail.
First spotted by Italian Blog Mobile World, a potentially new severe bug affects not only iPhones but also a wide range of Apple devices, including iPads, Macs and even Watch OS devices running the latest versions of their operating software.
Like previous 'text bomb' bug, the new flaw can easily be exploited by anyone, requiring users to send only a single character from Telugu—a native Indian language spoken by about 70 million people in the country.
Once the recipient receives a simple message containing the symbol or typed that symbol into the text editor, the character immediately instigates crashes on iPhones, iPads, Macs, Apple Watches and Apple TVs running Apple's iOS Springboard.
Apps that receive the text bomb tries to load the character, but fails and refuses to function properly until the character is removed—which usually can be done by deleting the entire conversation.
iphone-crash-telugu-character
The easiest way to delete the offending message is by asking someone else to send a message to the app that is crashing due to the text bomb. This would allow you to jump directly into the notification and delete the entire thread containing the character.
The character can disable third-party apps like iMessage, Slack, Facebook Messenger, WhatsApp, Gmail, and Outlook for iOS, as well as Safari and Messages for the macOS versions.
Telegram and Skype users appear to be unaffected by the text bomb bug.
Apple was made aware of the text bomb bug at least three days ago, and the company plans to address the issue in an iOS update soon before the release of iOS 11.3 this spring.
The public beta version of iOS 11.3 is unaffected.
Since so many apps are affected by the new text bomb, bad people can use the bug to target Apple users via email or messaging or to create mass chaos by spamming the character across an open social platform.
The source code of the Apple iOS iBoot Bootloader leaked online
9.2.2018 securityaffairs Apple
The source code for Apple iOS iBoot secure bootloader has been leaked to GitHub, now we will try to understand why this component is so important for the iOS architecture.
The iBoot is the component loaded in the early stages of the boot sequence and it is tasked with loading the kernel, it is stored in a boot ROM chip.
“This is the first step in the chain of trust where each step ensures that the next is signed by Apple.” states Apple describing the iBoot.
The leaked code is related to iOS 9, but experts believe it could still present in the latest iOS 11.
Apple promptly reacted to the data leak asking to remove the content for a violation of the Digital Millennium Copyright Act (DMCA).
“This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.” reads the notice on the GitHub repository.
“Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source.”
The data leak is considered very dangerous because hackers and security experts can analyze the code searching for security vulnerabilities that could be triggered to compromise the iBoot.
Even is the code cannot be modified, the exploit of a flaw could allow loading other components compromising the overall security of the architecture.
The boot sequence is:
Bootrom → Low Level Bootloader → iBoot → Device tree → Kernel.
The Jailbreak consists of compromising one of the above phases, typically the kernel one.
Newer iPhones have an ARM-based coprocessor that enhances iOS security, so-called Secure Enclave Processor, it makes impossible the access to the code to conduct reverse engineering of the code.
But now the iBoot code has been leaked online and experts can analyze it.
The jailbreak could allow removing security restrictions making it possible to install third-party software and packages, also code that is not authorized by Apple and therefore not signed by the IT giant.
Compromising the iBoot could theoretically allow loading any malicious code in the boot phase or a tainted kernel.
Apple tried to downplay the issue saying that it implements a layered model of security
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protection,” reads a statement issued by Apple.
Apple's iBoot Source Code for iPhone Leaked on Github
8.2.2018 thehackernews Apple
Apple source code for a core component of iPhone's operating system has purportedly been leaked on GitHub, that could allow hackers and researchers to discover currently unknown zero-day vulnerabilities to develop persistent malware and iPhone jailbreaks.
The source code appears to be for iBoot—the critical part of the iOS operating system that's responsible for all security checks and ensures a trusted version of iOS is loaded.
In other words, it's like the BIOS of an iPhone which makes sure that the kernel and other system files being booted whenever you turn on your iPhone are adequately signed by Apple and are not modified anyhow.
The iBoot code was initially shared online several months back on Reddit, but it just resurfaced today on GitHub (repository now unavailable due to DMCA takedown). Motherboard consulted some security experts who have confirmed the legitimacy of the code.
However, at this moment, it is unclear if the iBoot source code is completely authentic, who is behind this significant leak, and how the leaker managed to get his/her hands on the code in the first place.
The leaked iBoot code appears to be from a version of iOS 9, which signifies that the code is not entirely relevant to the latest iOS 11.2.5 operating system, but some parts of the code from iOS 9 are likely still used by Apple in iOS 11.
"This is the SRC for 9.x. Even though you can’t compile it due to missing files, you can mess with the source code and find vulnerabilities as a security researcher. It also contains the bootrom source code for certain devices…," a security expert said on Twitter.
The leaked source code is being cited as "the biggest leak in history" by Jonathan Levin, the author of a number of books on iOS and macOS internals. He says the leaked code seems to be the real iBoot code as it matches with the code he reverse-engineered himself.
Apple has open sourced some portions of macOS and iOS in recent years, but the iBoot code has been carefully kept private.
As Motherboard points out, the company treats iBoot as integral to the iOS security system and classifies secure boot components as a top-tier vulnerability in its bug bounty program, offering $200,000 for each reported vulnerability.
Therefore, the leaked iBoot code can pose a serious security risk, allowing hackers and security researchers to dig into the code to hunt for undisclosed vulnerabilities and write persistent malware exploits like rootkits and bootkits.
Moreover, jailbreakers could find something useful from the iBoot source code to jailbreak iOS and come up with a tethered jailbreak for iOS 11.2 and later.
It is worth noting that newer iPhones and other iOS devices ship with Secure Enclave, which protects against some of the potential issues that come with the leaked iBoot source code. So, I really doubt that the leaked code will be of much help.
Apple has yet to comment on the recent leak, though Github has already disabled the repository that was hosting the iBoot code after the company issued a DMCA takedown notice. However, the code is already out there.
We will update the article if we learn more.
Source Code of iOS Security Component iBoot Posted on GitHub
8.2.2018 securityweek Apple
What appears to be the source code of iBoot, a key component of Apple’s iOS platform responsible for trusted boot operation, was posted on GitHub yesterday.
The code was posted on the open-source portal by an individual going by the username of ZioShiba. The repository, labeled iBoot, has since been taken down, after Apple filed a copyright takedown request with GitHub.
The code in question is what loads the iOS, being the first piece of software that runs when an iOS device is turned on. It is responsible for checking the integrity of the platform and whether the kernel is properly signed.
This clearly makes iBoot a critical operating system component, and Apple is aware of that. As part of its bug bounty program, the tech giant is willing to pay as much as $200,000 for critical flaws in secure boot firmware components, the highest award.
Vulnerabilities in the secure boot firmware components can be used to jailbreak devices. Hackers could also abuse them to gain access to vulnerable devices.
In the DMCA Notice sent to GitHub, Apple appears to confirm the legitimacy of the leak.
“Reproduction of Apple's "iBoot" source code, which is responsible for ensuring trusted boot operation of Apple's iOS software. The "iBoot" source code is proprietary and it includes Apple's copyright notice. It is not open-source,” the notice reads.
Following the takedown, the repo is no longer accessible, but its contents were undoubtedly already downloaded by interested parties.
This means that the iBoot source code likely continues to be available online for cybercriminals to abuse to find vulnerabilities they can exploit in attacks.
In fact, flaws in iOS have long already proved highly valuable, with some companies willing to pay millions of dollars for zero-day vulnerabilities in the mobile operating system. In fact, one team of hackers already earned $1 million for such a security bug.
Just like any other operating system out there, iOS isn’t infallible, and the new code leak clearly proves that, Rusty Carter, Vice President of Product Management for Arxan Technology, told SecurityWeek in an emailed comment.
“Apple iOS is widely viewed as the most trusted mobile operating system out there. But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It's only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS,” Carter said.
SecurityWeek emailed Apple for an official comment and additional details on this incident.
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” an Apple spokesperson said.
Most of the iOS devices out there (93%) are already running newer platform releases, which diminishes any security impact of the leak. In fact, 65% of them run iOS 11, which includes Apple’s latest security improvements.
Apple is also running its own open source program, offering the platform to researchers interested in analyzing it.
*Updated with statement from Apple
MacUpdate Distributes Mac Crypto-Mining Malware
5.2.2018 securityweek Apple
Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.
The issue was observed on Friday, one day after maliciously modified versions of Firefox, OnyX, and Deeper applications started being distributed via the website. MacUpdate was quick to acknowledge the issue, and revealed in a comment that it was their fault and that the legitimate apps weren’t compromised.
What led to this situation is pretty straightforward: instead of linking to the applications’ official download websites, MacUpdate ended up linking to fake domains that resembled the legitimate ones.
Thus, instead of titanium-software.fr, it listed titaniumsoftware.org (registered on January 23) for the download URLs of OnyX and Deeper (both products made by Titanium Software). The download link for Firefox was even more crafty, using the domain download-installer.cdn-mozilla.net, instead of mozilla.net.
For all three applications, however, users ended up downloading disk image files (.dmg) that looked pretty convincing, Malwarebytes says. They also asked the user to drag the file into the Applications folder, just as the legitimate apps would.
The fake applications were created by Platypus, a developer tool used to build macOS software from scripts such as shell or Python.
Once installed, the fake apps download and install a payload from public.adobecc.com (a legitimate site owned by Adobe), after which it attempts to open a copy of the legitimate app as decoy. This operation, however, isn’t always successful, due to various errors the actor behind the fake apps made.
The security researchers discovered that the malicious OnyX app would run on Mac OS X 10.7 and up, but the decoy app requires macOS 10.13 and up, which means that only the malware is executed on systems with previous platform versions.
When it comes to the fake Deeper app, things are similar, but the reason is laughable. The actor included an OnyX app instead of Deeper as decoy, which clearly results the decoy not executing to cover the malicious behavior.
Upon execution, a script in the fake app checks whether it already runs and, if not, it downloads the malware and unzips it into the Library folder, which is hidden by default. A malicious launch agent file named MacOSupdate.plist is installed, designed to recurrently run another script.
The launch agent downloads a new MacOS.plist file and installs it, but first removes the previous MacOS.plist file, supposedly to update it. The downloaded MacOS.plist file was observed loading a malicious sysmdworker process and passing in arguments, including an email address.
“That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the login,” Malwarebytes explains.
To stay protected from this and similar threats, users are advised to always download applications from the legitimate websites only, such as the developer’s site or the Mac App Store.
As Malwarebytes points out, this is not the first time MacUpdate has been abused for malicious purposes. A couple of years ago, it fell to a similar hack and ended up distributing the OSX.Eleanor malware.
Apple Patches Meltdown Flaw in Older Versions of macOS
24.1.2018 securityweek Apple
Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.
Apple rolled out the first mitigations for the Meltdown attack before the flaws were disclosed, in early December, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Protections against Spectre attacks were added on January 8 with the release of iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2.
The latest security updates released by the tech giant for Mac computers patch 17 vulnerabilities, including a kernel flaw that allows Meltdown attacks (CVE-2017-5754) in macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.
The update for High Sierra also addresses several other kernel vulnerabilities that can be exploited to read restricted memory and execute arbitrary code with elevated privileges, including ones found by Jann Horn, the Google researcher who independently discovered the Meltdown and Spectre weaknesses.
Other macOS vulnerabilities patched on Monday affect the audio, cURL, LinkPresentation, QuartzCore, sandbox, security, WebKit and Wi-Fi components.
The updates for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 also fix the IOHIDFamily local privilege escalation vulnerability disclosed by a researcher on New Year’s Eve. The expert disclosed the flaw without giving Apple the chance to release a patch, arguing that it’s not remotely exploitable and the PoC he made public is not stealthy.
iOS 11.2.5 patches 13 security holes, including in the audio, Bluetooth, kernel, LinkPresentation, QuartzCore, security, and WebKit components. Some of these flaws are the same ones that affect macOS.
Since watchOS and tvOS are also based on iOS, a majority of the vulnerabilities have also been patched in the Apple Watch and Apple TV operating systems.
The WebKit flaws have also been resolved by Apple in iCloud for Windows, iTunes for Windows, and Safari.
Despite being among the first vendors to start releasing patches, Apple is facing class action lawsuits over the Meltdown and Spectre CPU vulnerabilities. Apple’s processors are affected due to the fact that they use ARM technology.
chaiOS Bug can crash iMessage App on any iPhone and macOS with a simple link
19.1.2018 securityaffairs Apple
The software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS’ that could be exploited to crash a target’s iMessage application.
The researcher and software developer Abraham Masri has discovered a new bug, dubbed ‘chaiOS Text Bomb’ that could be exploited to crash recipient’s iMessage application in a continuous loop.
Abraham Masri
@cheesecakeufo
👋 Effective Power is back, baby!
chaiOS bug:
Text the link below, it will freeze the recipient's device, and possibly restart it. http://iabem97.github.io/chaiOS
⚠️ Do not use it for bad stuff.
----
thanks to @aaronp613 @garnerlogan65 @lepidusdev @brensalsa for testing!
12:00 AM - Jan 17, 2018
133 133 Replies 494 494 Retweets 944 944 likes
Twitter Ads info and privacy
The flaw exploited by the ‘chaiOS Text Bomb’ affects both iOS and macOS, according to researchers at Yalu Jailbreak, the bug is currently compatible up till iOS 11.1.2 firmware, this means that it affects iMessage apps on macOS High Sierra, iOS 10 to 10.3.3, and iOS 11 to 11.2.1.
The exploitation of the issue is very simple, an attacker just needs to send a link to a web page hosting a JavaScript code that attempts to send an SMS message. The iMessage application fails to properly handle the code triggering the crash of the app. In some cases, it has been observed that the iMessage app enters a continuous reboot loop.
A proof-of-concept page has been put together by Masri and shared on Twitter yesterday, but the page has been removed from GitHub due to potential abuses, anyway, a new mirror has been already added.
“chaiOS is a malicious iOS bug that can cause the target device to freeze, respring, drain the battery, and possibly kernel panic. It is developed by the eminent jailbreak developer, Abraham Masri.
Here are the known after-effects once someone opens the malicious link.
The stock Messages app goes completely blank.
Messages app crashes instantly after opening.
Slowdown the target device.
It weighs around 7MB and loads some the exploit into user’s browser window and then crashes it.” states Yalu Jailbreak.
Below is a video PoC of the exploitation of the bug:
Researchers observed that the chaiOS Text Bomb can also affect Windows systems, it can also crash Chrome and Firefox web browsers.
The download link to the chaiOS is reported on the following page, but please don’t use it.
https://yalujailbreak.net/chaios/
Below instructions to trigger the bug:
Open the Messages app.
Select the recipient whose device you want to crash.
Send them the aforementioned link. Be sure to include a “/” at the end.
You are done with this now. Just wait for them to open the link in Safari.
Warning: New Undetectable DNS Hijacking Malware Targeting Apple macOS Users
17.1.2018 thehackernews Apple
A security researcher has revealed details of a new piece of undetectable malware targeting Apple's Mac computers—reportedly first macOS malware of 2018.
Dubbed OSX/MaMi, an unsigned Mach-O 64-bit executable, the malware is somewhat similar to DNSChanger malware that infected millions of computers across the world in 2012.
DNSChanger malware typically changes DNS server settings on infected computers, allowing attackers to route internet traffic through malicious servers and intercept sensitive information.
First appeared on the Malwarebytes forum, a user posted a query regarding unknown malware that infected his friend's computer that silently changed DNS settings on infected macOS to 82.163.143.135 and 82.163.142.137 addresses.
After looking at the post, ex-NSA hacker Patrick Wardle analysed the malware and found that it is indeed a 'DNS Hijacker,' which also invokes security tools to install a new root certificate in an attempt to intercept encrypted communications as well.
"OSX/MaMi isn't particularly advanced - but does alter infected systems in rather nasty and persistent ways," Patrick said.
"By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads)" or to insert cryptocurrency mining scripts into web pages.
Besides this, the OSX/MaMi macOS malware, which appears to be in its initial stage, also includes below-mentioned abilities, most of which are not currently activated in its version 1.1.0:
Take screenshots
Generate simulated mouse events
Perhaps persist as a launch item
Download and upload files
Execute commands
The motive, author(s) behind the malware, and how it is spreading are currently unknown.
However, Patrick believes that the attackers could be using lame methods like malicious emails, web-based fake security alerts/popups, or social-engineering type attacks to target Mac users.
To check if your Mac computer is infected with MaMi malware, go to the terminal via the System Preferences app and check for your DNS settings—particularly look for 82.163.143.135 and 82.163.142.137.
According to VirusTotal, a multi-engine antivirus scanner, none of 59 popular antivirus software is detecting this malware at this moment, so you are advised to use a 3rd-party tool such as a firewall that can detect and block outgoing traffic.
You can also install a free open-source firewall for macOS named 'LuLu,' created by Patrick and available at GitHub, which blocks suspicious traffic and prevents OSX/MaMi's from stealing your data.
Fourth Fappening Hacker Admits to Stealing Celebrity Pics From iCloud Accounts
17.1.2018 thehackernews Apple
Almost three years after the massive leakage of high-profile celebrities' nude photos—well known as "The Fappening" or "Celebgate" scandal—a fourth hacker has been charged with hacking into over 250 Apple iCloud accounts belonged to Hollywood celebrities.
A federal court has accused George Garofano, 26, of North Branford, of violating the Computer Fraud and Abuse Act, who had been arrested by the FBI.
Garofano has admitted to illegally obtaining credentials for his victims' iCloud accounts using a phishing scheme, which eventually allowed him to steal personal information on his victims, including sensitive and private photographs and videos.
Among celebrities whose nude photographs were posted online back in 2014 are Jennifer Lawrence, Kim Kardashian, Kirsten Dunst, and Kate Upton. Also, female victims also include American Olympic gold medallist Misty May Treanor and actors Alexandra Chando, Kelli Garner and Lauren O’Neil.
Between April 2013 to October 2014, Garofano engaged in sending phishing emails pretended to be from Apple security team to several celebrities, tricking them into providing their iCloud account credentials, which they stole to access their accounts illegally.
"Garofano admitted that he sent emails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them," the Justice Department said.
Besides stealing victims' personal information, including sensitive and private photographs and videos, from their iCloud accounts using stolen credentials, Garofano, in some instances, also traded the stolen credentials, along with the materials he stole from the victims' accounts, with other individuals.
In a plea agreement signed Thursday in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorised access to a protected computer to obtain information, facing up to 5 years in prison.
Garofano is the fourth hacker charged in connection with the Celebgate incident. Emilio Herrera, 32, Edward Majerczyk, 28, and Ryan Collins, 36, pleaded guilty last year to being involved in the celebrity photo hack.
While Herrera is waiting for sentencing next month, Majerczyk was sentenced to nine months in prison and Collins was sentenced to 18 months last year.
The investigation into the Celebgate scandal is being conducted by the U.S. Federal Bureau of Investigation.
New MaMi Malware targets macOS systems and changes DNS settings
17.1.2018 securityaffairs Apple
The popular security researcher Patrick Wardle spotted MaMi malware, a new threat malware designed to hijack DNS settings on macOS devices.
The cyber security expert and former NSA hacker Patrick Wardle made the headline once again, this time the researcher has spotted a new strain of malware dubbed MaMi designed to hijack DNS settings on macOS devices.
Wardle first obtained a sample of the MaMi malware after a user reported on the Malwarebytes forums that the Mac of its teacher was infected by a malware that set DNS servers to 82.163.143.135 and 82.163.142.137.
At the time of its discovery, it was undetected by all engines on VirusTotal. The OSX/MaMi isn’t particularly advanced, but the researcher remarked that it does alter infected systems in rather nasty and persistent ways.
“Since there are already several (IMHO unrelated) malware specimens that perform DNS hijackering (that are named ‘DNSChanger’, etc), I decided to call is OSX/MaMi due to a core class the malware named: ‘SBMaMiSettings’ ” wrote Wardle.
“Ok, that’s a wrap. OSX/MaMi isn’t particular advanced – but does alter infected systems in rather nasty and persistent ways. By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads). “
The malicious code acts as a DNS hijacker, but it also implements other features for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.
The researcher discovered the malware on several websites, unfortunately, it was not able to determine the distribution channel. It is likely the MaMi malware has been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.
Wardle noticed that the malware does not appear to execute any of implement feature, likely because it requires some attacker-supplied input or other preconditions that were not simulated in the virtualized test lab used by the expert.
Once MaMi has infected a mac system, it invokes the security tool and uses it to install a new certificate (dcdata.bin) it’s downloaded from the internet.
“By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle’ing traffic (perhaps to steal credentials, or inject ads).” explained Wardle.
How to discover is a macOS system is infected with the MaMi malware?
Users can check DNS settings, the malicious code set DNS servers to 82.163.143.135 and 82.163.142.137.
Patrick Wardle also created a free open-source firewall for macOS named ‘LuLu,’ which is able to block suspicious traffic and neutralize OSX/MaMi’s.
MaMi isn’t only one of the DNS-changer malware discovered since today, the most popular malware with these characteristics is DNSChanger, a threat that targeted both Windows and OS X machines, infecting millions of devices worldwide.
Fappening – A fourth man has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities
17.1.2018 securityaffairs Apple
Fappening – A fourth hacker, George Garofano (26), of North Branford, has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities.
A fourth hacker, George Garofano (26), of North Branford, has been charged with hacking into over 250 Apple iCloud accounts belonging to celebrities.
Garofano had been arrested by the FBI and a federal court has accused him of violating the Computer Fraud and Abuse Act.
From April 2013 through October 2014, Garofano used phishing attacks against the victims to obtain their iCloud accounts credentials, access the accounts and steal personal information, including private photographs and videos.
“According to the plea agreement, from April 2013 through October 2014, Garofano engaged in a phishing scheme to obtain usernames and passwords for iCloud accounts. Garofano admitted that he sent e-mails to victims that appeared to be from security accounts of Apple and encouraged the victims to send him their usernames and passwords, or to enter them on a third-party website, where he would later retrieve them.” reads the press release published by the DoJ.
“Garofano used the usernames and passwords to illegally access his victims’ iCloud accounts, which allowed him to steal personal information, including sensitive and private photographs and videos, according to his plea agreement. In some instances, Garofano traded the usernames and passwords, as well as the materials he stole from the victims, with other individuals.”
As part of the Fappening case, nude pictures of many celebrities were leaked online, the list of victims is long and includes Kim Kardashian, Kate Upton, and Jennifer Lawrence.
Garofano also traded the stolen credentials, as well as the information he stole from the victims’ accounts, with other individuals.
In a plea agreement signed last week in U.S. District Court in Los Angeles, Garofano agreed to plead guilty to one count of unauthorized access to a protected computer to obtain information.
The man is now facing up to 5 years in federal prison.
Garofano is the fourth man charged in connection with the Fappening saga, in past months Emilio Herrera, Edward Majerczyk, Ryan Collins, pleaded guilty to being involved in the attacks on the celebrities’ iCloud accounts.
Collins was sentenced to 18 months in federal prison, Majerczyk to nine months and Herrera is waiting for sentencing next month.
'MaMi' Mac Malware Hijacks DNS Settings
17.1.2018 securityweek Apple
Researcher Patrick Wardle has analyzed what seems to be a new piece of malware designed to hijack DNS settings on macOS devices. The threat has other capabilities as well, but they do not appear to be active.
The malware, dubbed OSX/MaMi by Wardle based on a core class named “SBMaMiSettings,” is currently only detected – at least based on its signature – by ESET and Ikarus products as OSX/DNSChanger.A and Trojan.OSX.DNSChanger. However, other vendors will likely create signatures for the threat in the upcoming hours and days.
The researcher obtained a sample of MaMi after a user reported on the Malwarebytes forums that a teacher’s Mac had been infected. The user reported that the DNS servers on the compromised system were set to 82.163.143.135 and 82.163.142.137, and they kept changing back after being removed.
Wardle has not been able to determine how the malware is being distributed, but he has found it on several websites. The expert believes the threat has likely been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.
The sample analyzed by the researcher acts as a DNS hijacker, but it also contains code for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.
The malware does not appear to execute any of these functions, but Wardle says it’s possible that they require some attacker-supplied input or other preconditions that his virtual machine may not have met. The researcher says he will continue to investigate.
Once it infects the system, the malware invokes the security tool and uses it to install a new certificate obtained from a remote location.
“OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways,” Wardle explained. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).”
The easiest way to determine if a macOS system is infected with the MaMi malware is to check DNS settings – the threat is present if the server is set to 82.163.143.135 and 82.163.142.137. The malware does not appear to be designed to target Windows devices.
The most well known DNS-changer malware is DNSChanger, a threat that made rounds in the years leading up to 2011 and which changed DNS settings as part of clickjacking and ad replacement fraud schemes. DNSChanger affected both Windows and OS X machines, and millions of devices worldwide were at risk of losing Internet connectivity after authorities took down its infrastructure.
Bogus Passwords Can Unlock AppStore Preferences in macOS
12.1.2018 securityweek Apple
A security vulnerability impacting macOS High Sierra allows admins to unlock the AppStore Preferences in System Preferences by providing any password.
The issue was found to affect macOS 10.13.2, the latest iteration of the platform, and can be reproduced only if the user is logged in as administrator. For non-admin accounts, the correct credentials are necessary to unlock the preferences pane.
macOS High Sierra 10.13.2 users interested in reproducing the bug should log into their machines as administrators, then navigate to the App Store preferences in System Preferences.
Next, users should click on the padlock icon to lock it if necessary, then click it again. When prompted to enter the login credentials, they can use any password and still unlock the Prefpane.
One thing that should be noted is that the App Store setting is opened up unlocked by default when the user is logged as admin and that no sensitive user information can be accessed by triggering the bug.
Eric Holtam notes the security oversight only impacts the App Store preferences and no other system preferences menu can be unlocked in a similar manner. The admin password is still required when attempting to change user and other system preferences.
The issue, however, is not as dangerous as it might look. For starters, the bug can only be triggered if the user is logged in as admin, which clearly minimizes the vulnerability’s impact, given that the admin can unlock the specific settings.
Users affected by the flaw would be those who, although logged as admins, would still keep the App Store preferences locked. In such cases, if the machine was left unattended, anyone with physical access to it could change the respective settings.
Apple, however, is already working on addressing the issue. A patch has been included in the latest beta seed of macOS High Sierra (10.13.3) and will be released to all Mac users in a future software update.
In late November, the tech giant patched a critical authentication bypass vulnerability in macOS High Sierra 10.13.1, where anyone could login as root by providing any password. The attack however, was possible only if the root account hadn’t been enabled or a password hadn’t been set for it. However, experts revealed that remote attacks were also possible.
Mac Malware Creator Indicted in U.S.
11.1.2018 securityweek Apple
“FruitFly” Mac Malware Creator Allegedly Spied On Victims for 13 Years
An Ohio man was charged this week in a 16-count indictment for allegedly developing malware known as “FruitFly” and for infecting thousands of computers with it.
The man, Phillip R. Durachinsky, 28, of North Royalton, Ohio, has been charged with using the malware for more than 13 years to watch, listen to, and obtain personal data from unknowing victims, as well as to produce child pornography.
FruitFly, also known as Quimitchin, was first discovered a year ago, despite being said to have been developed over a decade ago. The malware was supposedly designed to exfiltrate data from anything it can access and its presence on machines at biomedical facilities led researchers to believe it was a cyber-espionage tool. What isn’t yet clear is how the malware was distributed to the compromised systems.
At Virus Bulletin last year, security researcher Patrick Wardle presented a paper on a second variant of FruitFly, explaining that the threat is installed persistently on the victims’ machines, that it employs obfuscation, and that it includes support for a large number of commands. By setting up a custom command and control (C&C) server for the threat, he was also able to observe and analyze the malware’s behavior.
The malware, Wardle revealed, included support for around 25 commands, and supports advanced commands rarely seen in macOS malware, such as the ability to simulate mouse and keyboard events, likely in an attempt to interact with system dialogs or alerts from security products.
Although designed to target Macs, FruitFly was found to contain Linux shell commands and to run just fine on Linux, which suggested that a variant targeting this operating system might have been built as well. Windows-based executable files that communicated with the malware’s C&C were also discovered, and one of them was found to use a libjpeg library that hasn't been updated since 1998, but which FruitFly also uses.
According to the indictment the Department of Justice made public this week, Durachinsky from 2003 through Jan. 20, 2017, allegedly orchestrated a scheme to access “thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy.”
Using the FruitFly malware, he allegedly controlled infected computers “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” DoJ said.
The indictment also alleges that Durachinsky used the malware to steal victims’ personal information, including logon credentials, tax records, medical records, photographs, banking records, Internet searches, and communications. He is also charged with using the stolen credentials to access and download information from third-party websites.
Moreover, Durachinsky is said to have used the compromised systems to watch and listen to victims without their knowledge or permission and to intercept oral communications taking place in the room where the infected computer was located. Durachinsky was apparently alerted if a user typed words associated with pornography and is said to have saved millions of images and to have kept detailed notes of what he saw.
“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division said.
macOS Malware Creator Charged With Spying on Thousands of PCs Over 13 Years
11.1.2017 thehackernews Apple
The U.S. Justice Department unsealed 16-count indictment charges on Wednesday against a computer programmer from Ohio who is accused of creating and installing spyware on thousands of computers for more than 13 years.
According to the indictment, 28-year-old Phillip R. Durachinsky is the alleged author of FruitFly malware that was found targeting Apple Mac users earlier last year worldwide, primarily in the United States.
Interestingly, Durachinsky was just 14 years old when he programmed the first version of the FruitFly malware, and this full-fledged backdoor trojan went largely undetected for several years, despite using unsophisticated and antiquated code.
The malware was initially discovered in January 2017 by Malwarebytes and then Patrick Wardle, an ex-NSA hacker, found around 400 Mac computers infected with the newer strain of FruitFly. However, Wardle believed the number of infected Macs would likely be much higher.
The malware is capable of advanced surveillance on macOS devices with the ability to remotely take control of webcams, microphones, screen, mouse, and keyboards, as well as install additional malicious software.
Since the source code of Fruitfly also includes Linux shell commands, the researchers believe the malware would work just fine on Linux operating system.
From 2003 to January 2017, Durachinsky used spyware, which was later named FruitFly, to gain access to thousands of computers belonging to individuals, companies, schools, a police department, and a subsidiary of the U.S. Department of Energy.
Durachinsky allegedly used the malware to steal the personal data of victims, including their tax records, banking records, medical records, login credentials, photographs, Internet searches, and potentially embarrassing communications.
"He is alleged to have developed computer malware later named “Fruitfly” that he installed on computers and that enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio," the DoJ says.
Besides installing Fruitfly, Durachinsky is also accused of producing child pornography, as in some cases, the malware alerted him if a user typed any pornography term. It’s likely such action would prompt recording.
Durachinsky is facing charges of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft.
However, the charges are merely allegations at this time, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.
[Bug] macOS High Sierra App Store Preferences Can Be Unlocked Without a Password
11.1.2017 thehackernews Apple
Yet another password vulnerability has been uncovered in macOS High Sierra, which unlocks App Store System Preferences with any password (or no password at all).
A new password bug has been discovered in the latest version of macOS High Sierra that allows anyone with access to your Mac to unlock App Store menu in System Preferences with any random password or no password at all.
The impact of this vulnerability is nowhere as serious as the previously disclosed root login bug in Apple's desktop OS that enabled access to the root superuser account simply by entering a blank password on macOS High Sierra 10.13.1.
As reported on Open Radar earlier this week, the vulnerability impacts macOS version 10.13.2 and requires the attacker to be logged in with an administrator-level account for this vulnerability to work.
I checked the bug on my fully updated Mac laptop, and it worked by entering a blank password as well as any random password.
If you're running latest macOS High Sierra, check yourself:
Log in as a local administrator
Go to System Preferences and then App Store
Click on the padlock icon (double-click on the lock if it is already unlocked)
Enter any random password (or leave it blank) in login window
Click Unlock, Ta-da!
Once done, you'll gain full access to App Store settings, allowing you to modify settings like disabling automatic installation of macOS updates, app updates, system data files and even security updates that would patch vulnerabilities.
We also tried to reproduce the same bug on the latest developer beta 4 of macOS High Sierra 10.13.3, but it did not work, suggesting Apple probably already knows about this issue and you'll likely get a fix in this upcoming software update.
What's wrong with password prompts in macOS? It's high time Apple should stop shipping updates with such an embarrassing bug.
Apple also patched a similar vulnerability in October in macOS, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.
Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 secrityaffairs Apple
Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.
The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).
Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.
Apple now released the following security updates:
macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.
Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.
Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 securityaffairs Apple
Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.
The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).
Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.
Apple now released the following security updates:
macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.
Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.
Apple Working on Patch for New Year's Eve macOS Flaw
4.1.2018 securityweek Apple
Apple is aware of the macOS vulnerability disclosed by a researcher on New Year’s Eve and the company plans on patching it later this month.
A security expert who uses the online moniker Siguza has made public the details and proof-of-concept (PoC) code for a local privilege escalation vulnerability affecting all versions of the macOS operating system.
The flaw, which the researcher described as a “zero day,” allows a malicious application installed on the targeted system to execute arbitrary code and obtain root privileges.
Apple is working on patching the vulnerability and has shared some mitigation advice until the fix becomes available.
“Apple is committed to the security of our customers’ devices and data, and we plan to patch this issue in a software update later this month,” Apple said in a statement emailed to SecurityWeek. “Since exploiting the vulnerability requires a malicious app to be loaded on your Mac, we recommend downloading software only from trusted sources such as the Mac App Store.”
The flaw affects IOHIDFamily, a kernel extension designed for human interface devices (e.g. touchscreens and buttons). Siguza discovered that some security bugs in this component introduce a kernel read/write vulnerability, which he has dubbed IOHIDeous.
The exploit created by the hacker also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features.
The PoC exploit is not stealthy as it needs to force a logout of the legitimate user. However, the researcher said an attacker could design an exploit that is triggered when the targeted device is manually rebooted or shut down.
Some of the PoC code made available by Siguza only works on macOS High Sierra 10.13.1 and earlier, but the researcher believes it can be adapted for version 10.13.2 as well.
The vulnerability has been around since at least 2002, but it could actually be much older.
Siguza says he is not concerned that malicious actors will abuse his PoC exploit as the vulnerability is not remotely exploitable. The hacker claims he would have privately disclosed the flaw to Apple had it been remotely exploitable or if the tech giant’s bug bounty program covered macOS.
15-Year-Old Apple macOS 0-Day Kernel Flaw Disclosed, Allows Root Access
3.1.2017 thehackernews Apple
A security researcher on New Year's eve made public the details of an unpatched security vulnerability in Apple's macOS operating system that can be exploited to take complete control of a system.
On the first day of 2018, a researcher using the online moniker Siguza released the details of the unpatched zero-day macOS vulnerability, which he suggests is at least 15 years old, and proof-of-concept (PoC) exploit code on GitHub.
The bug is a serious local privilege escalation (LPE) vulnerability that could enable an unprivileged user (attacker) to gain root access on the targeted system and execute malicious code. Malware designed to exploit this flaw could fully install itself deep within the system.
From looking at the source, Siguza believes this vulnerability has been around since at least 2002, but some clues suggest the flaw could actually be ten years older than that. "One tiny, ugly bug. Fifteen years. Full system compromise," he wrote.
This local privilege escalation flaw resides in IOHIDFamily, an extension of the macOS kernel which has been designed for human interface devices (HID), like a touchscreen or buttons, allowing an attacker to install a root shell or execute arbitrary code on the system.
"IOHIDFamily has been notorious in the past for the many race conditions it contained, which ultimately lead to large parts of it being rewritten to make use of command gates, as well as large parts being locked down by means of entitlements," the researcher explains.
"I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS - specifically IOHIDSystem, which contains the vulnerability."
The exploit created by Siguza, which he dubbed IOHIDeous, affects all versions of macOS and enables arbitrary read/write bug in the kernel.
Besides this, IOHIDeous also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features that offer protection against malware.
The PoC code made available by Siguza has for some reason stopped working on macOS High Sierra 10.13.2 and works on macOS High Sierra 10.13.1 and earlier, but he believes the exploit code can be tweaked to work on the latest version as well.
However, the researcher pointed out that for his exploit to work, it needs to force a log out of the logged-in user, but this can be done by making the exploit work when the targeted machine is manually shut down or rebooted.
Since the vulnerability only affects macOS and is not remotely exploitable, the researcher decided to dumped his findings online instead of reporting it to Apple. For those unaware, Apple's bug bounty program does not cover macOS bugs.
For in-depth technical details about the vulnerability, you can head on to researcher's write-up on GitHub.
Expert publicly disclosed a macOS zero-day that allows local privilege escalation
2.1.2017 securityaffairs Apple
A security researcher has publicly disclosed the details of macOS zero-day flaw that can be exploited to take complete control of a system.
A security researcher that goes online with the Twitter account Siguza (@s1guza) has publicly disclosed the details of macOS zero-day vulnerability that can be exploited to take complete control of a system. The expert speculates the flaw has been around since at least 2002
Siguza
@s1guza
Fuck it, dropping a macOS 0day. Happy New Year, everyone. https://siguza.github.io/IOHIDeous/
11:59 PM - Dec 31, 2017
119 119 Replies 2,634 2,634 Retweets 4,407 4,407 likes
Twitter Ads info and privacy
The flaw is a local privilege escalation (LPE) vulnerability that affects IOHIDFamily, a kernel extension designed for human interface devices (HID) (e.g. the touchscreen, buttons, accelerometer, etc.).
The flaws discovered by the expert affect all versions of macOS and they can lead to an arbitrary read/write vulnerability in the kernel.
An attacker who has access to a system can trigger the zero-day flaw to execute arbitrary code and gain root permissions.
The expert was analyzing the iOS code searching for vulnerabilities in the iOS kernel when he discovered that the component IOHIDSystem exists only on macOS.
“I was originally looking through its source in the hope of finding a low-hanging fruit that would let me compromise an iOS kernel, but what I didn’t know it then is that some parts of IOHIDFamily exist only on macOS – specifically IOHIDSystem, which contains the vulnerability discussed herein.” Siguza wrote in the technical analysis published on gitHub.
The expert published a PoC code, dubbed IOHIDeous, that works for Sierra and High Sierra (up to 10.13.1, see README) and is able to disable both the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI).
“Targets Sierra and High Sierra (up to 10.13.1, see README), achieves full kernel r/w and disables SIP to prove that the vulnerability can be exploited by any unprivileged user on all recent versions of macOS.” continues the expert.
The exploit code developed by the expert runs as fast as possible to avoid user interaction, for example on a shutdown “we’d be able to slip in between the user getting logged out and the kernel killing us.”
The PoC code published by Siguza seems not work on macOS High Sierra 10.13.2 released on December 6, but the expert believes that this version is still vulnerable.
“The prefetch timing attack I’m using for hid for some reason doesn’t work on High Sierra 10.13.2 anymore, and I don’t feel like investigating that.” said Siguza.
“Maybe patched, maybe just the consequence of a random change, I neither know nor care. The vuln is still there and my code does both info leak and kernel r/w, just not in the same binary – reason is explained in the write-up. If you want that feature, consider it an exercise for the reader.”
Siguza publicly disclosed this macOS zero-day because it is exploitable only by a local attacker and because Apple bug bounty doesn’t cover it.
1 Jan
Security Around The World
@security_china
Replying to @s1guza
Can I ask, why not sell it? I'm sure some government or blackhat would have paid a lot for it? Or are you just the type of person who can't be reasoned with, who doesn't care for money and just want to watch the world burn?
Siguza
@s1guza
My primary goal was to get the write-up out for people to read. I wouldn't sell to blackhats because I don't wanna help their cause. I would've submitted to Apple if their bug bounty included macOS, or if the vuln was remotely exploitable.
3:43 PM - Jan 1, 2018
4 4 Replies 11 11 Retweets 150 150 likes
Unpatched macOS Flaw Allows Code Execution, Root Access
2.1.2017 securityweek Apple
A researcher who specializes in hacking Apple’s iOS operating system has made public the details of an unpatched vulnerability in macOS that can be exploited to take complete control of a system.
The details of the exploit and proof-of-concept (PoC) code were made public on the first day of 2018 – or the last day of 2017, depending on where you are located in the world – by a researcher who uses the online moniker Siguza (s1guza). An attacker who has access to a system can leverage the vulnerability, which the expert has described as a “zero day,” to execute arbitrary code and obtain root permissions.
This local privilege escalation (LPE) vulnerability affects IOHIDFamily, a kernel extension designed for human interface devices (HID), such as a touchscreen or buttons. While trying to discover flaws that would let him hack the iOS kernel, Siguza noticed that some components of this extension, specifically IOHIDSystem, exist only on macOS, which led him to identify a potentially serious security hole.
The bugs he discovered affect all versions of macOS and they can lead to an arbitrary read/write vulnerability in the kernel. The exploit created by the hacker also disables the System Integrity Protection (SIP) and Apple Mobile File Integrity (AMFI) security features.
However, the expert pointed out that his exploit, dubbed IOHIDeous, is not stealthy as it needs to force a logout of the logged-in user. On the other hand, an attacker could design an exploit that is triggered when the targeted device is manually shut down or rebooted.
Some of the PoC code made available by Siguza only works on macOS High Sierra 10.13.1 and earlier, but the researcher believes the exploit can be tweaked to work on the latest version as well, namely 10.13.2, which Apple released on December 6.
The expert believes the vulnerability has been around since at least 2002, but some clues suggest it could actually be a decade older than that. “One tiny, ugly bug. Fifteen years. Full system compromise,” Siguza said.
The researcher said he would have reported his findings to Apple instead of disclosing them to the public if the flaw had been remotely exploitable or if the tech giant’s bug bounty program covered macOS.
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
Some may argue that making the exploit public puts macOS users at risk of attacks, but Siguza believes that is not the case.
Apple Admits Deliberately Slowing Older iPhones — Here’s Why
21.12.2017 thehackernews Apple
Why is my iPhone slow?
Do you also ask this question again and again?
Well, the biggest conspiracy theory floating around from years that Apple deliberately slows down performance on your older iPhones whenever the company is about to launch the next version of its flagship to push its sale is TRUE (at least partially).
Apple has finally admitted that it does indeed intentionally slow down older iPhone models, without notifying its customers, though the company claims the move is not intended to encourage customers to upgrade to newer iPhone models.
Instead, Apple says it is a feature—implemented on the iPhone 6, 6S and SE last year during a software update, and on the iPhone 7 in December with the release of iOS 11.2—to protect against unexpectedly shutting down of older iPhones due to aging batteries and prolong their lifespan.
"Last year we released a feature for iPhone 6, iPhone 6s and iPhone SE to smooth out the instantaneous peaks only when needed to prevent the device from unexpectedly shutting down during these conditions," the company said in an official statement to Reuters.
"We've now extended that feature to iPhone 7 with iOS 11.2, and plan to add support for other products in the future."
According to Apple, the issue resides in iPhone's battery, and not in its processor. The performance of lithium-ion battery used in iPhones degrades over time, which could result in damaging the internal components of the device.
Therefore, Apple intentionally throttles the performance of iPhones that have older batteries, batteries with low charge or that are cold, in an attempt to protect their components.
The above statement by Apple came in response to a blog post published earlier this week by Toronto-based firm Geekbench developer John Poole, who analyzed the performance of iPhone 6S and iPhone 7 over time.
Poole expected the battery capacity to decrease as they age, but processor performance to stay the same. He found that an iOS update rolled out to fix a 'sudden shutdown' issue was to blame for the decreased performance.
"Users expect either full performance or reduced performance with a notification that their phone is in low-power mode," Poole wrote in a blog post published Monday (18th December).
"This fix creates a third, unexpected state. While this state is created to mask a deficiency in battery power, users may believe that the slow down is due to CPU performance, instead of battery performance, which is triggering an Apple introduced CPU slow-down."
Apparently, this latest Apple's revelation sparked an outcry among Apple fans.
Although the company was not playing a bad trick to push the sale of newer iPhone models by slowing older ones, Apple should show a bit more honesty in a relationship with its customers who call themselves Apple fans.
Google Researcher Releases iOS Exploit—Could Enable iOS 11 Jailbreak
12.12.2017 thehackernews Apple
As promised last week, Google's Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources.
On Monday morning, Beer shared the details on the exploit, dubbed "tfp0," which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system.
Here, "tfp0" stands for "task for pid 0" or the kernel task port—which gives users full control over the core of the operating system.
The Project Zero researcher responsibly reported these vulnerabilities to Apple in October, which were patched by the company with the release of iOS 11.2 on 2nd December.
While Beer says he has successfully tested his proof of concept exploit on the iPhone 6s and 7, and iPod Touch 6G, he believes that his exploit should work on all 64-bit Apple devices.
Another security researcher confirmed that the exploit released by Beer also works on his Apple TvOS 11.x and TV 4K running iOS 11.1.2.
What's worse? Since Apple's iOS mobile operating system and macOS desktop operating system share the same code base, the kernel for macOS is also vulnerable to the bug, according to a report published by Project Zero on Google's Chromium Blog.
Beer said he has also successfully tested the vulnerability on macOS 10.13, running on a MacBook Air 5.2, which Apple patched in macOS 10.13.1.
Earlier versions of the operating systems are still vulnerable to the exploit, which basically grants complete core access to the operating system and that is really what the jailbreak community requires.
Although we have not heard any news about iOS jailbreaks from the jailbreak community from very long, Beer's exploit could be the basis for a future iOS 11 jailbreak, allowing iPhone and iPad users to install third-party OS customizations via apps that are restricted by Apple.
If iOS 11.1.2 jailbreak surfaces in upcoming days, you can still downgrade to iOS 11.1.2 using iTunes even if you have updated to iOS 11.2 because Apple is still signing the operating system.
The OceanLotus MacOS Backdoor Transforms into HiddenLotus with a Slick UNICODE Trick
12.12.2017 securityaffairs Apple
Experts at Malwarebytes warns of a new variant of the macOS OceanLotus backdoor is using an innovative technique to avoid detection,
A few years ago the bad actors realized they could use UNICODE characters that looked like English characters to lead unsuspecting victims to malicious websites. Now, they have figured out how to use a similar trick to fool Apple computers too! Substitute a Roman d for a Latin d in .pdf and you might have a way to fool the computer and the user into running the OceanLotus backdoor.
Wikipedia tells us: UNICODE is an industry standard for “the consistent encoding, representation, and handling of text.” Or put another way, it tries to identify every unique character in all of the languages so we can recognize an English “A” and a Greek “A” as distinct.
The bad actors figured out that to humans, a URL in English characters ‘aaa.com‘ looks the same as ‘aaa.com‘ in Greek characters but computers recognize these as different and will take you to two different websites depending on which you choose.
In 2001, this became known as the internationalized domain name (IDN) homograph attack. Most browsers now have defenses against such attacks, and while there are some creative folks still finding new ways to exploit UNICODE attacks in browsers, it looks like some have moved onto creative file-based attacks.
To make life easier for users, operating systems (OSes) allow users to double-click on a file through the GUI and take it from there. If the file is a document, the appropriate application runs and the requested file is opened. If the file is an application, the OS runs the program. Windows operating systems simply look at the file extension to determine the file type. MacOS is more diligent after a series of cyber attacks in 2009 when bad actors renamed applications to have document file extensions getting through the security controls at the time.
In response, Apple implemented “File Quarantine” in a number of applications that download files from the Internet. Think: Safari, Messages, iChat, and mail. To identify applications, MacOS looks at the file extension, but also looks at the internal structure of files with known document extensions to determine if it is a renamed application. If it appears to be an application, the user receives a warning that the file is “an application downloaded from the Internet” and given the option to avoid opening it.
This all seems like a good plan until some crafty person leveraged the confusion that comes with UNICODE characters to create the OSX HiddenLotus. An attack. In this attack, the victim receives the file “Lê Thu Hà (HAEDC).pdf” which looks like a benign PDF document but MacOS knows better because the internal structure gives it away as an application that could contain malware. Following the File Quarantine procedure, the user will see the popup warning shown above. But wait, it doesn’t have an “unknown extension” it has a PDF extension, doesn’t it?
This is where the UNICODE magic comes in to fool the computer. The “d” in the .pdf file above isn’t from the LATIN character set, it is actually a Roman numeral “d” which looks the same to human eyes but is distinctive to computers. MacOS knows that the Adobe extension .pdf should be opened by a PDF reader like Adobe Reader, but the malware extension .pdf has no defined application. It is internally structured like an application so MacOS follows the procedures and asks the user.
Note: there is nothing magic about “pdf” in this case, other than it looks benign to humans and is unrecognized by MacOS.
“The HiddenLotus dropper is a folder with the proper internal bundle structure to be an application, and it uses an extension of .pdf, where the ‘d’ is a Roman numeral, not a letter. Although this extension looks exactly the same as the one used for Adobe Acrobat files, it’s completely different, and there are no applications registered to handle that extension. Thus, the system will fall back on the bundle structure, treating the folder as an application, even though it does not have a telltale .app extension.” reads the analysis published by MalwareBytes.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well”
Any unknown extension will have this behavior. But imagine what happens when the popup box warns that “Lê Thu Hà (HAEDC).pdf is an application downloaded from the Internet. Are you sure you want to open it?“
How many users will notice “application” in that popup box — which is the important part — or will they quickly scan the message and get “are you sure you want to open this PDF file from the Internet?”
Apple has updated the MacOS XProtect anti-malware system to watch for this specific attack and then provide a stronger message to the user. But there are a lot of characters beside the Roman “d” that can be leveraged for similar attacks. The game of cat and mouse continues.
Google Project Zero white hacker reveals Apple jailbreak exploit
12.12.2017 securityaffairs Apple
White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit that relies on a kernel memory corruption vulnerability.
White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit. The expert publicly disclosed the kernel memory corruption vulnerability after Apple addressed it with a fix.
Last week highlighted Beer announced an iOS 11.1.2 exploit called “tfp0,” which he believes could be the basis for a future iOS 11.1.2 jailbreak.
Today, Beer released the exploit and explained it should work on all iOS devices running iOS 11.1.2 or below, though he only tested it on iPhone 7, iPhone 6s, and a sixth-generation iPod touch.
Watch out, Beer doesn’t release a full iOS 11 jailbreak, but what could potentially be used to develop a working jailbreak.
The attack vector is the tfp0 (“task for pid 0”), the kernel task port.
Ian Beer
@i41nbeer
iOS 11.1.2, now with more kernel debugging: https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3 …
5:20 PM - Dec 11, 2017
171 171 Replies 805 805 Retweets 1,718 1,718 likes
Twitter Ads info and privacy
Beer started from his work with Apple’s Mach kernel implementation, and the Mach interface generator (MIG) made in September 2016.
“Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server. These two functions are also responsible for managing the resources associated with each message similar to the ipc_kobject_server routine in the kernel.” wrote Beer.
“Exploitability hinges on being able to get the memory reallocated in between the two vm_deallocate calls, probably in another thread.”
Beer published a proof-of-concept code to exploit a second bug that provided the vector to attack MIG.
The expert exploited “a recent addition to the kernel, presumably as a debugging tool to help enumerate places where the kernel is accidentally disclosing pointers to userspace. The implementation currently enumerates kqueues and dumps a bunch of values from them.”
“IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function.” reads the security advisory published by Beer.
“The external method’s error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC.”
Beer included a step-by-step explanation in the readme file included in the PoC code:
First, he used a proc_pidlistuptrs bug to disclose the address of arbitrary ipc_ports;
Second, he triggered an out-of-bounds read for “various kallocsizes” to identify “the most commonly-leaked kernel pointer”;
Next, he sent Mach messages to gather “a pretty large number of kalloc allocations;
With enough Mach port allocations, Beer gathered a page “containing only my ports”. The port address disclosure provided “a port which fits within particular bounds on a page. Once I’ve found it, I use the IOSurface bug to give myself a dangling pointer to that port”;
”I free the kalloc allocations made earlier and all the other ports then start making kalloc.4096 allocations (again via crafted mach messages);”
Careful reallocation (1 MB at a time) made garbage collection trigger and “collect the page that the dangling pointer points to”.
Beer explained that “the bsdinfo->pid trick” allowed him to build an arbitary read to find the kernel task’s vm_map and the kernel’s ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.
Jailbreaking iOS devices is no more so popular, especially after two major Cydia repositories shut down. Both ModMy and ZodTTD/MacCiti, which provided apps, themes, tweaks, and more for jailbroken iOS devices, shut down in November.
Google Researcher Releases iOS 11 Jailbreak Exploit
12.12.2017 securityweek Apple
Google Project Zero researcher Ian Beer has released a proof-of-concept (PoC) exploit that could pave the way for the first iOS 11 jailbreak.
The iOS vulnerabilities leveraged by Beer’s exploit are CVE-2017-13865, a kernel flaw that allows an application to read restricted memory, and CVE-2017-13861, a weakness in IOSurface that can be leveraged to execute arbitrary code with kernel privileges. Both security holes were patched by Apple in early December with the release of iOS 11.2.
When Beer announced his intention to release an iOS exploit a few days ago, some were hoping that the researcher would release a full jailbreak. Nevertheless, many iPhone fans anticipate that the exploit made available by the Google expert will allow someone to create a jailbreak by the end of the year.
Beer has released the exploit in an effort to help security researchers analyze Apple devices by running their own tools. The exploit has been tested on iPhone 7, iPhone 6s and iPod Touch 6G running iOS 11.1.2, but the expert believes support can easily be added for other devices.
The researcher’s exploit targets task_for_pid 0 (tfp0), a function that provides access to the kernel task port and which can be useful for jailbreaking, and a local kernel debugger. Technical details and PoC code are available via the Project Zero bug tracker.
The vulnerabilities necessary for a jailbreak have become increasingly difficult to find and Apple has implemented many of the features that in the past required third-party apps and jailbroken devices. This has led to fewer researchers trying to develop exploits and fewer users needing jailbroken devices.
However, there has been a lot of interest in Beer’s exploits – even before they were actually released – and many users are hoping to see an iOS 11 jailbreak in the coming weeks.
It’s worth pointing out that even if a jailbreak is released, it will only work on devices running iOS 11.1.2 – and possibly earlier versions of iOS 11 – as Apple has already patched the vulnerabilities in iOS 11.2.
macOS Backdoor Uses Innovative Disguise Technique
12.12.2017 securityweek Apple
A variant of the macOS-targeting OceanLotus backdoor is using an innovative technique to disguise the fact that it is an executable in order to avoid alerting users on its execution, Malwarebytes warns.
Dubbed HiddenLotus, the backdoor is distributed via an application named Lê Thu Hà (HAEDC).pdf, which masquerades as an Adobe Acrobat file. The app uses an old method for this behavior, one that inspired the file quarantine feature introduced in Leopard (Mac OS X 10.5), where files downloaded from the Internet are tagged as quarantined.
Should the downloaded file be an executable, such as an application, a pop-up notification warns the user on the fact when they attempt to open the file. The quarantine feature has been around for nearly a decade, but malware continues to masquerade as documents, Malwarebytes says.
HiddenLotus, a new variant of the OceanLotus backdoor that was last seen this summer posing as a Microsoft Word document and targeting users in Vietnam, takes the disguise to a new level. While older malware had a hidden .app extension to indicate that it was an application, HiddenLotus actually has a .pdf extension. There was no .app extension included.
This is possible because the threat uses a hidden extension, where the ‘d’ in .pdf is actually the Roman numeral ‘D’ (representing the number 500) in lowercase, as Arnaud Abbati has discovered.
“An application does not need to have a .app extension to be treated like an application. An application on macOS is actually a folder with a special internal structure called a bundle. A folder with the right structure is still only a folder, but if you give it an .app extension, it instantly becomes an application,” Malwarebytes explains.
Because of that, the Finder treats the folder as a single file and launches it as an application when double-clicked, instead of opening the folder.
When the user double-clicks a file or a folder, LaunchServices considers the extension first and opens the item accordingly, if it knows the extension. A file with a .txt extension will be opened with TextEdit by default. Thus, a folder with the .app extension will be launched as an application, should it have the right internal structure.
If the extension isn’t known, the user is consulted when attempting to open the file, and they can choose an application to open the file or search the Mac App Store.
When double-clicking a folder with an unknown extension, however, LaunchServices falls back on looking at the folder’s bundle structure.
This is the behavior that HiddenLotus’ author leverages: the dropper is a folder that has the internal bundle structure of an application. Because of the use of a Roman numeral in the .pdf extension and because there is no application registered to open it, the system treats it as an application even though it does not have a telltale .app extension.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well,” Malwarebytes says.
The security researchers also point out that there is an enormously large list of possible extensions that malicious actors could abuse, especially when using Unicode characters. Because of that, users could be tricked into opening files that mimic Word documents (.doc), Excel spreadsheets (.xls), Pages documents (.pages), and the like.
“This is a neat trick, but it’s still not going to get past file quarantine. The system will alert you that what you’re trying to open is an application. Unless, of course, what you are opening was downloaded via an application that does not use the APIs that properly set the quarantine flag on the file, as is the case for some torrent apps,” the researchers also note.
Apple Patches Vulnerabilities in macOS, watchOS, and tvOS
7.12.2017 securityweek Apple
Apple this week released security updates for macOS, watchOS, and tvOS, as well as updated versions of the Safari browser and the iTunes for Windows application.
The company addressed a total of 22 vulnerabilities with the release of macOS High Sierra 10.13.2 this week (some of the patches were also included in Security Update 2017-002 Sierra and Security Update 2017-005 El Capitan).
Affected components included apache, curl, Directory Utility, Intel Graphics Driver, IOAcceleratorFamily, IOKit, Kernel, Mail, Mail Drafts, OpenSSL, and Screen Sharing Server. Kernel was impacted the most, with 8 bugs addressed in it.
Many of these flaws could result in attackers or malicious applications executing arbitrary code with either kernel or system privileges. Other vulnerabilities, however, could result in disclosure of process memory, administrator authentication bypass, and system termination, or could allow applications to read restricted memory.
Impacting macOS High Sierra 10.13.1, the flaw in Mail could result in an S/MIME encrypted email being inadvertently sent unencrypted if the receiver's S/MIME certificate was not installed, Apple notes in an advisory.
A total of 9 vulnerabilities were addressed with the release of watchOS 4.2. One of the bugs impacts IOSurface, another affects Wi-Fi, while the remaining 7 were resolved in Kernel. Most of the bugs could result in an application executing arbitrary code with kernel privileges or reading restricted memory.
Affecting Apple Watch (1st Generation) and Apple Watch Series 3, the Wi-Fi bug allowed an attacker in Wi-Fi range to force nonce reuse in WPA multicast/GTK clients.
The issue, known as Key Reinstallation Attacks or KRACK, was discovered earlier this year in the Wi-Fi standard itself, thus impacting all implementations, industrial networking devices included. Apple addressed the bug in most of its products in late October.
Released on Monday, tvOS 11.2 resolves 10 vulnerabilities: one in IOSurface, another in Wi-Fi, and 8 in Kernel. Essentially, it fixes the 9 bugs addressed with watchOS 4.2, along with one other issue in Kernel.
These 10 security vulnerabilities, along with 4 others (one in IOKit, one in IOMobileFrameBuffer, one in Mail, and another in Mail Drafts), were also addressed in iOS with the release of iOS 11.2 on December 2.
On Wednesday, December 6, Apple also released Safari 11.0.2 and iTunes 12.7.2 for Windows, but hasn’t provided information on the security content of these updates.
In late November, Apple released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.
24 hours later, Apple fixes the bug in macOS High Sierra that allowed Root access with no password
1.12.2017 securityaffairs Apple
Just 24 hours later, Apple issued a security update for macOS High Sierra that addresses the bug that allowed Root access with no password
Yesterday I published a post on an embarrassing flaw affecting the macOS High Sierra, tracked as CVE-2017-13872, that that can be exploited to gain root access to a machine with no password.
The vulnerability is exploitable via the authentication dialog box in the Apple macOS High Sierra that asks for an administrator’s username and password when the user needs to do specific actions like configure privacy and network settings.
From the user login screen, if the user provides “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears and he gains admin rights.
D̒͂̕ă̋n̕ Ť̨̖̾̾̓͐͒͜͠ͅe̘͗̑́̋̂́͡ͅn̅̀̀͞t̾l̀̓̐͘e̓̒̂̚r
✔
@Viss
2:28 AM - Nov 29, 2017
41 41 Replies 361 361 Retweets 756 756 likes
Twitter Ads info and privacy
Initial reports suggested that the exploit works by entering the username “root” with a blank password, but the expert Tom Ervin discovered that it works with any password.
Tom Ervin
@techbytom
Everyone. Please, the MacOS “blank root password” vulnerability has nothing to do with a blank password. The first time someone tries to log in as root, whatever password they try becomes the password for root. DO NOT test with a blank password. SET A STRONG ROOT PASSWORD NOW.
10:32 AM - Nov 29, 2017
Replies 3 3 Retweets 5 5 likes
Twitter Ads info and privacy
The attack scenario needs physical access to the machine to log in, once inside the attacker can perform several malicious activities such as install a malware.
Even if the flaw was first reported on Apple developer forums on November 13 by a user, Apple only learned of it on Tuesday when the web developed Lemi Orhan Ergin tweeted about it.
Lemi Orhan Ergin
@lemiorhan
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?
7:38 PM - Nov 28, 2017
1,166 1,166 Replies 12,927 12,927 Retweets 15,519 15,519 likes
Twitter Ads info and privacy
The flaw affects macOS High Sierra 10.13 and macOS High Sierra 10.13.1, it doesn’t impact macOS Sierra 10.12.6 and earlier.
Just 24 hours later, Apple announced the availability of a security update for macOS High Sierra that addresses the issue.
“An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the company said in its advisory.
“A logic error existed in the validation of credentials. This was addressed with improved credential validation.”
Experts noticed that If they have a root account enabled and a password for it set, the trick will not work, for this reason Apple has deactivated the root account by default.
New variants of the UBoatRAT RAT hits targets in East Asia
30.11.2017 securityaffairs Apple
Palo Alto Networks discovered a custom RAT dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea.
Security experts from Palo Alto Networks discovered custom remote access Trojan (RAT) dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea and the video gaming industry.
The UBoatRAT has been distributed through Google Drive links, the malware obtains the address of the command and control (C&C) server from GitHub and uses Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence.
The address of the C&C and the destination port are hidden in a file hosted on GitHub, and the malware accesses the file using a specific URL. UBoatRAT communicates with the C&C served using a custom protocol.
Attackers used the GitHub account ‘elsa999’, according to the researchers the author has been frequently updating repositories since July.
UBoatRAT was first spotted on May 2017, at the time it was a simple HTTP backdoor leveraging a public blog service in Hong Kong and a compromised web server in Japan for C&C.
Across the months the authors added several new features to the RAT, the last variant was released during summer.
“Palo Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT.” reads the analysis published by Palo Alto Networks.
“The attacks with the latest variants we found in September have following characteristics.
Targets personnel or organizations related to South Korea or video games industry
Distributes malware through Google Drive
Obtains C2 address from GitHub
Uses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.”
The exact targets aren’t still clear at the moment, the experts speculate the hackers aimed to Korea or the video games industry, because Korean-language game titles, Korea-based game company names, and some words used in the video games business were used for delivery.
The UBoatRAT performs malicious activities on the infected machine only when joining an Active Directory Domain, this means that user systems that are not part of a domain would not be impacted.
Threat actors delivered the RAT through a ZIP archive hosted on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the UBoatRAT masquerade as Microsoft Word document files.
The RAT halts its execution when detects a virtualization software such as VMWare, VirtualBox, QEmu, when executed it attempts to obtain the Domain Name from network parameters. If it fails to get the domain name, it displays a fake error message and quits.
Otherwise, UBoatRAT copies itself as C:\programdata\svchost.exe, and creates and executes C:\programdata\init.bat, then it displays a specific message and quits.
Experts observed that the malware relies the Microsoft Windows Background Intelligent Transfer Service (BITS), a service for transferring files between machines, to maintain the persistence.
“Bitsadmin.exe is a command-line tool user can create and monitor BITS jobs. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot.” continue the analysis.
Once established a covert channel with C&C, the malware waits following backdoor commands from the attacker.
Command Description
alive Checks if whether the RAT is alive
online Keeps the RAT online by sending the packets to C2 periodically
upfile Uploads file to compromised machine
downfile Downloads file from compromised machine
exec Executes process with UAC Bypass using Eventvwr.exe and Registry Hijacking
start Starts CMD shell
curl Downloads file from specified URL
pslist Lists running processes
pskill Terminates specified process
The researchers have identified fourteen samples of UBoatRAT, as well as one downloader associated with the attacks.
“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat.” concluded Palo Alto Networks.
Patch for macOS Root Access Flaw Breaks File Sharing
30.11.2017 securityweek Apple
The patch released by Apple on Wednesday for a critical root access vulnerability affecting macOS High Sierra appears to break the operating system’s file sharing functionality in some cases. The company has provided an easy fix for affected users.
The flaw, tracked as CVE-2017-13872, allows an attacker to gain privileged access to a device running macOS High Sierra by logging in to the root account via the graphical user interface with the username “root” and any password. Apple has disabled the root account by default and when users attempt to log in to this account, the password they enter is set as its password. If the password field is left blank, there will be no password on the root account.
The vulnerability can be exploited locally, but remote attacks are also possible if sharing services are enabled on the targeted machine.
While the issue was mentioned on Apple developer forums on November 13, the tech giant only learned about it on November 28, when a Turkish developer posted a message on Twitter. A patch was released within 24 hours, but since Apple did not have enough time to test the fix, it appears to introduce other problems.
Some users may find that the file sharing functionality no longer works after they have installed the security update for High Sierra 10.13.1.
An advisory published by Apple shortly after the release of the update provides recommendations on how to repair file sharing. Users simply need to open the Terminal, type the command sudo /usr/libexec/configureLocalKDC, and enter their administrator password when prompted. This should address the issue until Apple releases another update.
Attacks exploiting CVE-2017-13872 can also be prevented by manually setting a password for the root user account or disabling sharing services if not needed. Apple said the security hole does not affect macOS Sierra 10.12.6 and earlier.
This is not the only authentication bug found in macOS High Sierra recently. Last month, a developer noticed that the operating system had leaked the passwords for encrypted Apple File System (APFS) volumes via the password hint.