Supply Chain Attack Spreads macOS RAT 20.10.2017 securityweek Apple Proton, a remote access tool (RAT) that emerged in early 2017, has once again compromised a legitimate software’s distribution channel to spread, ESET warns.
Discovered in March this year, Proton was designed to execute any bash command under root, monitor keystrokes, upload/download files to/from the victim’s machine, grab screenshots or webcam captures, get updates, and also send notifications to the attacker. It can also help the attacker connect via SSH/VNC to the target machine.
In May, the malware’s operators managed to compromise a download mirror of the popular video converting tool HandBrake and configured it to distribute the RAT via a trojanized version of the legitimate app.
Now, the attackers were able to hack Eltima, the makers of the Elmedia Player software, and replaced the legitimate application binaries available for download with trojanized iterations. Thus, Eltima ended up distributing the OSX/Proton malware via their official website.
The attack was observed on Thursday, October 19, and Eltima was able to clean the infected application binaries within hours after being informed on the incident, ESET says.
All users who downloaded the Elmedia Player software recently should check their systems for possible compromise. For that, they should verify for the presence of the following files or directories: /tmp/Updater.app/, /Library/LaunchAgents/com. Eltima.UpdaterAgent.plist, /Library/.rand/, and /Library/.rand/updateragent.app/.
“If any of them exists, it means the trojanized Elmedia Player application was executed and that OSX/Proton is most likely running,” ESET notes.
Apparently only the application version downloaded through the company’s website was compromised, while the version distributed through the built-in automatic update mechanism was supposedly unaffected.
Once installed on a compromised machine, the malware can steal operating system details, browser information from Chrome, Safari, Opera, and Firefox (including history, cookies, bookmarks, and login data), cryptocurrency wallets (Electrum, Bitcoin Core, and Armory), SSH private data, macOS keychain data, Tunnelblick VPN configuration, GnuPG data, 1Password data, and a list of all installed applications.
Proton’s operators aren’t the only cybercriminals out there attempting to infect users via supply chain attacks. Last year, Mac Bittorrent client Transmission was hacked twice to spread the OSX/KeRanger ransomware and OSX/Keydnap password stealer, respectively.
Another incident of global impact was the compromise of the updater process of tax accounting software MEDoc to distribute the NotPetya wiper. Spreading fast to organizations worldwide, the attack resulted in millions of dollars in losses, as some organizations were unable to recover data following the incident.
Apple Allows Uber to Use a Powerful Feature that Lets it Record iPhone Screen 7.10.2017 thehackernews Apple If you are an iPhone user and use Uber app, you would be surprised to know that widely popular ride-hailing app can record your screen secretly. Security researcher Will Strafach recently revealed that Apple selectively grants (what's known as an "entitlement") Uber a powerful ability to use the newly introduced screen-recording API with intent to improve the performance of the Uber app on Apple Watch. The screen-recording API allows the Uber app to record user's screen information even when the app is closed, giving Uber access to all the personal information passing through an iPhone screen. What's more? The company's access to such permission could make this data vulnerable to hackers if they, somehow, able to hijack Uber's software. "It looks like no other third-party developer has been able to get Apple to grant them a private sensitive entitlement of this nature," Strafach told Gizmodo, who first reported about the issue. "Considering Uber's past privacy issues I am very curious how they convinced Apple to allow this." Shortly after the public disclosure, Uber said it would remove the entitlement code from its iPhone app's codebase that lets the ride-sharing app record the screen even if running in the background. Although it's unclear when or for how long Uber's iPhone app has had this permission, Uber spokesperson said in a tweet that the entitlement was used for an old version of the Apple Watch app and was provided to Uber because the original Apple Watch could not render maps. However, due to upgrades to Apple Watch and the Uber app, the company does not need this permission anymore. According to Strafach, the entitlement is "com.apple.private.allow-explicit-graphics-priority" app permission that allows developers to read and write to part of the iPhone's memory to access the device’s screen data. Nearly every iPhone app uses entitlement in an effort to enable features like the camera or Apple Pay on iPhones and iPads. However, according to Strafach, Apple does not often grant "sensitive" entitlements to non-Apple apps. Strafach said he could not find any other app on the Apple's official App Store that has the permissions that the Uber app has. Although there is no evidence that Uber ever misused the entitlement, this special permission could have been exploited to perform a wide range of activities on an iPhone, such as recording passwords, monitoring users and harvesting other personal information, Strafach explained. Apple has not yet responded. This is not the first privacy concern surrounding Uber. Late last year, the ride-hailing company was found tracking its users' locations even after their rides ended. Uber was also in controversies at the mid of last year for monitoring the battery life of its users, as the company believed that its users were more likely to pay a much higher price to hire a cab when their phone's battery is close to dying.
macOS High Sierra Update Patches Keychain Access Flaw 6.10.2017 securityweek Apple An update released on Thursday by Apple for its macOS High Sierra operating system patches two vulnerabilities, including one that allows malicious applications to steal passwords from the Keychain.
The Keychain flaw, tracked as CVE-2017-7150, was disclosed last week by Patrick Wardle, director of research at Synack. Apple has now addressed the issue with the release of High Sierra 10.13 Supplemental Update.
The researcher warned that High Sierra and previous versions of macOS are affected by a security hole that can be exploited by unsigned applications to programmatically dump and exfiltrate sensitive data from the Keychain, including plaintext passwords. However, he only released a video demonstrating the attack, without making any technical details public.
“A method existed for applications to bypass the keychain access prompt with a synthetic click. This was addressed by requiring the user password when prompting for keychain access,” Apple said in its advisory.
SecurityWeek has reached out to Wardle to find out if the latest update properly patches the vulnerability he found. This article will be updated once the researcher responds.
Wardle also demonstrated recently how Apple's new Secure Kernel Extension Loading (SKEL) security feature, introduced in High Sierra, can be easily bypassed.
The High Sierra 10.13 Supplemental Update also fixes a password disclosure issue involving encrypted Apple File System (APFS) volumes.
Brazil-based developer Matheus Mariano discovered that passwords set by users via Disk Utility for new encrypted APFS volumes are displayed in clear text via the “Show Hint” button when the volume is mounted. The problem only appears to affect encrypted APFS volumes created via Disk Utility.
“This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints,” Apple said about the flaw, which it tracks as CVE-2017-7149.
Apple has also published a knowledge base article for the password leakage issue. The company has advised users to protect their existing APFS volumes by creating a backup, erasing the existing volume, and restoring the initial volume to set a new password.
“Changing the password on an affected volume clears the hint but doesn’t affect the underlying encryption keys that protect the data,” Apple said.
macOS High Sierra Leaks APFS Volume Passwords via Hint 6.10.2017 securityweek Apple A developer from Brazil noticed that the recently launched macOS High Sierra 10.13 operating system leaks the passwords for encrypted Apple File System (APFS) volumes via the password hint.
APFS is a new file system introduced by Apple with macOS High Sierra. When High Sierra is installed on a computer with a solid-state drive (SSD), the startup volume is automatically converted to APFS and users cannot opt out of the transition. APFS promises strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.
Developer Matheus Mariano discovered the password leakage after he used the Disk Utility in High Sierra to add a new encrypted APFS volume to the container. When users add a new volume, they are asked to enter a password and, optionally, write a hint for it.
When the new volume is mounted, the user is asked to enter the password. However, Mariano noticed that if the “Show Hint” button is pressed, the hint that is displayed is actually the password set by the user. The password is not disclosed if no information is entered into the “Password hint” field when creating a new volume, although Apple recommends adding a hint.
“I really don’t know how this went unnoticed by Apple (and anyone else),” Mariano said.
SecurityWeek can confirm that the password for encrypted APFS volumes is leaked via the password hint on High Sierra.
macOS developer Felix Schwarz pointed out that users who have set a hint via the Disk Utility can address the issue by changing the hint using the diskutil command line utility.
Mariano said he reported the issue to Apple before making his findings public. He also published a video showing the vulnerability:
SecurityWeek has reached out to Apple for comment and will update this article if the company responds.
This is not the first security hole discovered by researchers in High Sierra. Patrick Wardle, director of research at Synack, reported last month that unsigned apps can steal passwords from the macOS keychain, and that Apple’s new Secure Kernel Extension Loading (SKEL) security feature can be easily bypassed.
UPDATE. Apple told SecurityWeek that an update released on Thursday, October 5, for High Sierra addresses both the APFS password disclosure issue and the keychain vulnerability reported by Wardle.
The company has also published a knowledge base article that provides more guidance to users on the password disclosure bug.
Apple file system flaw, macOS shows encrypted drive’s password in the hint box 6.10.2017 securityaffairs Apple
Apple released a patch for macOS High Sierra 10.13 that address also a flaw in Apple file system that exposes encrypted drive’s password in the hint box. Apple yesterday released a security patch for macOS High Sierra 10.13 to fix vulnerabilities in the Apple file system (APFS) volumes and Keychain software.
The vulnerability in the Apple file system was first reported by Matheus Mariano, a developer at Leet Tech, and later confirmed also by the programmer Felix Schwartz.
5 Oct Felix Schwarz @felix_schwarz It becomes clearer every day that Apple shipped #APFS way too early. https://twitter.com/martiano_/status/913024208946556928 …
Follow Felix Schwarz @felix_schwarz Tried myself & it's true: #HighSierra shows the #APFS volume password as hint. Persists reboots, not stored in keychain. Wow. Just wow. pic.twitter.com/FkcHI9KHl9
53 53 Replies 1,126 1,126 Retweets 1,053 1,053 likes Twitter Ads info and privacy The vulnerability in the Apple file system tracked as CVE-2017-7149 could be exploited by a local attacker to gain access to an encrypted APFS volume.
“If a hint was set in Disk Utility when creating an APFS encrypted volume, the password was stored as the hint. This was addressed by clearing hint storage if the hint was the password, and by improving the logic for storing hints.” reads the description provided by Apple on its support website.
When users create an encrypted APFS volume on a Mac with an SSD using Apple’s Disk Utility app and set up a password hint, invoking the password hint mechanism while remounting the volume will display the current password in plaintext.
Here’s a video demonstrating the programming cockup:
Another flaw fixed by Apple tracked as CVE-2017-7150 affects the Keychain and was discovered by the popular expert Patrick Wardle. Wardle revealed that unsigned applications can steal macOS Keychain passwords from the latest version of macOS High Sierra and previous versions of macOS. Many developers questioned the quality of macOS High Sierra 10.13 released at the end of September.
Follow Brian Lopez @brianmario Legitimately wondering of Apple accidentally shipped a pre-release version of High Sierra. So much of it is unfinished and unpolished.
4:39 AM - Sep 27, 2017 2 2 Replies Retweets likes
Millions of Macs open to EFI Firmware Hacks even if they are up-to-date 1.10.2017 securityaffairs Apple
A group of researchers with Duo Security demonstrated that millions of Up-to-Date Apple Macs are vulnerable to EFI Firmware attacks. In 2015, the security researcher Trammell Hudson demonstrated at the Chaos Computer Congress in Hamburg, how it is possible to infect Apple Mac PCs exploiting the Thunderbolt port. Since the disclosure of the attack against the Apple firmware, the company has regularly bundled EFI updates with macOS security and software updates to avoid its exploitation. Now researchers at Duo Security have discovered that many macOS security and software updates are incomplete exposing millions of Up-to-Date Macs to EFI Firmware hacks. The researchers analyzed over 73,000 Macs systems and discovered that a worrisome number of Apple Mac computers either fails to install security patches for EFI firmware vulnerabilities or doesn’t install security updates at all.
“We then gathered OS version, build number, Mac model version, and EFI firmware version from over 73,000 real-world Mac systems deployed in organizations across a number of industry verticals to give us a large dataset of the Apple EFI environments that are in production use.” states the report published by the experts.
“Our research has shown there are considerable discrepancies in how Apple provides security support to its EFI firmware as compared to how they support the security of the OS and software.”
According to the research paper, 4.2 percent of machines in production environments are running EFI versions different from what they should be running.
“On average, 4.2% of real-world Macs used in the production environments analyzed are running an EFI firmware version that’s different from what they should be running, based on the hardware model, the OS version, and the EFI version released with that OS version.” states the research paper.
The situation is worse for certain Mac models, such as the iMac 21.5 inch of late 2015 for which experts observed a 43 percent discrepancy. The experts noticed that 16 combinations of Mac hardware and OSes had never received any EFI firmware update during the lifetime of the 10.10 to 10.12 versions of OS X/macOS.
The situation is, even more, critic because Apple does not even warn its customers of the failed EFI update process or technical problems resulting in millions of Macs users vulnerable to cyber attacks.
Thunderstrike EFI firmware attacks
Apple uses Intel-designed Extensible Firmware Interface (EFI) for Mac computers that runs before macOS boots up and has higher-level privileges. An EFI malware could be exploited by attackers to gain full control of the device without being detected.
“In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove – installing a new OS or even replacing the hard disk entirely is not enough to dislodge them.” states the Duo researchers.
You will be surprised by knowing the numbers for some specific Mac models—43% of the analysed iMac models (21.5″ of late 2015) were running outdated, insecure firmware, and at least 16 Mac models had never received any EFI firmware updates when Mac OS X 10.10 and 10.12.6 was available.
“For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates,” Duo researchers say.
It is very disconcerting to know that even if users are running the latest version of macOS and have installed all the security updates issued by the tech giant they are still exposed to cyber attack.
“Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version,”
Duo experts also found 47 models that were running 10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware update that addressed the known vulnerability, Thunderstrike 1.
While 31 models did not receive did not receive an EFI patch for Thunderstrike 2.
The Thunderstrike attacks were first exploited by the National Security Agency (NSA), agents. According to documents belonging to the WikiLeaks Vault 7 data dumps, the agency developed the “Sonic Screwdriver” project, which is a “mechanism for executing code on peripheral devices while a Mac laptop or desktop is booting”allowing an attacker to boot its attack software for example from a USB stick “even when a firmware password is enabled”.
The technique allows a local attacker to boot its hacking tool using a peripheral device (i.e. USB stick, screwdriver),“even when a firmware password is enabled” on the device. This implied that the Sonic Screwdriver allows attackers to modify the read-only memory of a device, the documents revealed that malware is stored in the Apple Thunderbolt-to-Ethernet adapter.
More details on the research are available in the Duo Labs whitepaper, Mac users can check if they are running the latest version of EFI for their systems by using free open-source tool EFIgy.
Millions of Up-to-Date Apple Macs Remain Vulnerable to EFI Firmware Hacks
30.9.2017 thehackernews Apple "Always keep your operating system and software up-to-date." This is one of the most popular and critical advice that every security expert strongly suggests you to follow to prevent yourself from major cyber attacks. However, even if you attempt to install every damn software update that lands to your system, there is a good chance of your computer remaining outdated and vulnerable. Researchers from security firm Duo Labs analysed over 73,000 Macs systems and discovered that a surprising number of Apple Mac computers either fails to install patches for EFI firmware vulnerabilities or doesn't receive any update at all. Apple uses Intel-designed Extensible Firmware Interface (EFI) for Mac computers that work at a lower level than a computer's OS and hypervisors—and controls the boot process. EFI runs before macOS boots up and has higher-level privileges that, if exploited by attackers, could allow EFI malware to control everything without being detected. "In addition to the ability to circumvent higher level security controls, attacking EFI also makes the adversary very stealthy and hard to detect (it’s hard to trust the OS to tell you the truth about the state of the EFI); it also makes the adversary very difficult to remove—installing a new OS or even replacing the hard disk entirely is not enough to dislodge them," Duo researchers say. What's worse? In addition to neglecting to push out EFI updates to some systems, Apple does not even warn its users of the failed EFI update process or technical glitch, leaving millions of Macs users vulnerable to sophisticated and advanced persistent cyber attacks. On average, Duo said 4.2% of 73,324 real-world Macs used in the enterprise environments were found running a different EFI firmware version they should not be running—based on the hardware model, the operating system version, and the EFI version released with that OS. You will be surprised by knowing the numbers for some specific Mac models—43% of the analysed iMac models (21.5" of late 2015) were running outdated, insecure firmware, and at least 16 Mac models had never received any EFI firmware updates when Mac OS X 10.10 and 10.12.6 was available. "For the main EFI vulnerabilities that were acknowledged by Apple and patched during the time of our analysis, there were surprising numbers of models of Macs that received no update to their EFI despite continuing to receive software security updates," Duo researchers say. "Even if you’re running the most recent version of macOS and have installed the latest patches that have been released, our data shows there is a non-trivial chance that the EFI firmware you’re running might not be the most up-to-date version," Duo also found 47 models that were running 10.12, 10.11, 10.10 versions of macOS and did not receive the EFI firmware update with patches to address the known vulnerability, Thunderstrike 1. While 31 models did not get the EFI firmware patch addressing the remote version of the same flaw, Thunderstrike 2. The Thunderstrike attacks, initially developed by the National Security Agency (NSA), were also exposed in the WikiLeaks Vault 7 data dumps, which also mentioned the attack relies on the outdated firmware. More details on the vulnerable Mac models can be found in the Duo Labs research report. According to the researchers, their research was focused on the Mac ecosystem as Apple is in a somewhat unique position of controlling the full stack, but it can be widely deployed. "However, we are of the belief that the main issues we have discovered are generally relevant across all vendors tasked with securing EFI firmware and are not solely Apple," the researchers said. Enterprises with a large number of Mac computers should review their models outlined in the Duo Labs whitepaper, "The Apple of Your EFI: Findings From an Empirical Study of EFI Security," to see if their models are out-of-date. Mac users and administrators can also check if they are running the latest version of EFI for their systems by using free open-source tool EFIgy, which will soon be made available by the company.
Mac Firmware Updates Are Failing and Leaving Systems Vulnerable: Report 29.9.2017 securityweek Apple
There is a discrepancy between the frequency and thoroughness of Apple's Mac Operating System (OS X) and app security updates, and updates for the underlying firmware (EFI) on Mac computers. Researchers have found that on a sample of 73,324 Macs deployed in production settings, 4.2% are running outdated EFI -- leaving them potentially vulnerable to new exploits.
EFI is the modern form of BIOS -- it's where the instructions for getting the system successfully started are kept. As such, it occupies privilege level ring -2 and is responsible for loading the operating system from ring 0. In short, instructions on the firmware sit below the operating system and below all of the applications (including security software) that run on top of the operating system. Any malware that can be installed into this firmware is virtually invisible and almost impossible to clear.
The discrepancy between EFI and OS updates was discovered by Duo Security and announced in a report (PDF) and blog published today. The report will be presented by authors Rich Smith and Pepijn Bruienneat at this year's ekoparty conference in Buenos Aires.
The research started from the hypothesis that firmware and software updates do not necessarily proceed in step. Macs were chosen, say the authors in their blog post, because "Apple is in a somewhat unique position of controlling the full stack from hardware, through firmware, OS, and all the way up to application software and can be considered widely deployed." This made the research simpler, but they stress that they do not believe the issues they discovered are unique to Apple.
Since 2015, Apple has released EFI updates contained within its larger OS and security updates. This meant that the researchers could examine the current operating system build on a Mac, and know what firmware version should also be installed. "The comparison and observed discrepancies between these two datasets," explain the authors, "gives us a way to look at the deviance between the expected state of a Mac’s EFI and the actual state as we observed from systems in real-world use."
The researchers then analyzed more than 70,000 Macs being used in production environments and found that 4.2% were running firmware versions pre-dating the versions that could have been expected. For some Mac versions, the discrepancy was even greater; for example, 43% of the iMac 21.5" model from late 2015 were running incorrect versions of the EFI firmware.
"The size of this discrepancy is somewhat surprising," note the authors, "given that the latest version of EFI firmware should be automatically installed alongside the OS updates." Since the firmware updates are delivered as part of the OS updates, they would be installed automatically and invisibly (to the user) at the same time. The implication is that this is an issue stemming from Apple, and not some 'patch later' policy from the user.
Firmware attacks are neither simple nor that common, and tend to be used only against high-value targets. However, Duo Security points out that insecure firmware can leave users unknowingly susceptible to previously disclosed vulnerabilities such as Thunderstrike and the recent WikiLeaks Vault 7 data dumps that detail attacks against firmware.
Home users should probably not worry too much; however, says Smith, "The sophisticated and targeted nature of firmware attacks should be of particular concern to those who have higher security clearance or access to sensitive information at their respective organizations."
Back in 2012, Kaspersky Lab detailed targeted attacks against OS X users among Uyghur activists. This would be an example of a well-resourced attacker (possibly state-sponsored) attacking a high-value target (political dissidents). Had the attacks succeeded against the Mac firmware, they would not have been so easily discovered by Kaspersky Lab.
This is because, in Smith's words, EFI compromises offer three particularly worrying characteristics: they are low level, exceptionally stealthy, and highly persistent. They can read and write arbitrarily to disk or memory before the machine boots; they can deliver false information to any security tool trying to find them; and they can resist re-boots, re-installing the operating system, and even replacing the hard disk altogether.
The solution to the problem is to try to match the firmware with the OS updates; that is, to get EFI and OS back in step. Duo provides apps to help users discover the firmware in use. Where this is not possible, Smith suggests, "it would be well worth considering replacing Macs that cannot have updated EFI firmware applied, or moving them into roles where they are not exposed to EFI attacks (physically secure, controlled network access). While EFI attacks are currently considered both sophisticated and targeted, depending on the nature of the work your organization does and the value of the data you work with, it’s quite possible that EFI attacks fall within your threat model. In this regard, vulnerability to EFI security issues should carry the same weight as vulnerability to software security issues."
Duo Security reported its findings to Apple in late June. Apple has acknowledged a problem. "Interactions with Apple have been very positive," comments Smith, "and they seemed to genuinely appreciate the work and agreed with our methodologies, findings and conclusions. Despite the issues we found, we truly believe that Apple is leading the way in terms of taking EFI security seriously. They have continued to take steps forward with the release of macOS 10.13 (High Sierra). They have a world class firmware security team and we are excited to see the new security approaches they will take in future to keep the EFI environment even more secure."
Apple Silently Patched macOS Security Bypass Flaw 28.9.2017 securityweek Apple Researchers claim Apple has silently patched a macOS vulnerability that can be exploited to bypass one of the operating system’s security features and execute arbitrary JavaScript code without restrictions.
The issue, discovered by Filippo Cavallarin of Italian security firm Segment, has been described as a local JavaScript quarantine bypass flaw and it has been assigned a risk rating of 3/5.
When a file is downloaded from the Internet, macOS places it in “quarantine” by assigning it the com.apple.quarantine extended attribute. This ensures that the user is alerted of the potential security risks before the file is executed.
Cavallarin said he found a way to bypass the file quarantine feature by exploiting DOM-based cross-site scripting (XSS) vulnerabilities in an HTML file named rhtmlPlayer.html, which is stored in the /System/Library/CoreServices folder of the OS.
According to the researcher, this file contains two DOM-based XSS vulnerabilities that can be exploited by hackers via Uniform Resource Identifier (URI) components.
One way to exploit the flaw is to use .webloc files, which allow users to save website addresses to the local system. On macOS, these types of files are automatically opened with the Safari web browser.
The attacker needs to embed the JavaScript code they want executed into a .webloc file, send it to the victim, and convince them to open it. Segment has published a detailed technical advisory and a video showing how an attacker can exploit this vulnerability to steal sensitive data from the targeted device:
The vulnerability is said to affect macOS 10.12, 10.11, 10.10 and likely prior versions of the operating system. The issue was reported to Apple via Beyond Security’s SecuriTeam Secure Disclosure (SSD) program and it was addressed without any mention in macOS High Sierra 10.13, which Apple released earlier this week.
Beyond Security told SecurityWeek that it informed Apple of the flaw on July 27. The company said the tech giant did not respond to its questions regarding the issue in the past two weeks.
SecurityWeek has reached out to Apple for clarifications and will update this article if the company responds.
This is not the only macOS vulnerability disclosed in recent days. Earlier this month, researcher Patrick Wardle demonstrated how unsigned apps can steal data from the Keychain password management system, and how attackers can bypass the Secure Kernel Extension Loading (SKEL) security feature.
Google Researcher Publishes PoC Exploit for Apple iPhone Wi-Fi Chip Hack
27.9.2017 thehackernews Apple You have now another good reason to update your iPhone to newly released iOS 11—a security vulnerability in iOS 10 and earlier now has a working exploit publicly available. Gal Beniamini, a security researcher with Google Project Zero, has discovered a security vulnerability (CVE-2017-11120) in Apple's iPhone and other devices that use Broadcom Wi-Fi chips and is hell easy to exploit. This flaw is similar to the one Beniamini discovered in the Broadcom WiFi SoC (Software-on-Chip) back in April, and BroadPwn vulnerability disclosed by an Exodus Intelligence researcher Nitay Artenstein, earlier this summer. All flaws allow a remote takeover of smartphones over local Wi-Fi networks. The newly discovered vulnerability, which Apple fixed with its major iOS update released on September 19, could allow hackers to take control over the victim's iPhone remotely. All they need is the iPhone's MAC address or network-port ID. And since obtaining the MAC address of a connected device is easy, the vulnerability is considered a serious threat to iPhone users. Beniamini informed WiFi chip maker Broadcom and privately reported this vulnerability in Google's Chromium bug-reporting system on August 23. Now, following iOS 11 release, Beniamini published a proof-of-concept (PoC) exploit for the flaw to demonstrate the risks this flaw could pose on iPhone users. Beniamini says the flaw exists on Broadcom chips running firmware version BCM4355C0, which is not only used by iPhones but also used by a large number of other devices, including Android smartphones, the Apple TV and smart TVs. Once his exploit executes, Beniamini was able to insert a backdoor into Broadcom chip’s firmware, which allowed him to remotely read and write commands to the firmware, "thus allowing easy remote control over the Wi-Fi chip." Once all done, "you can interact with the backdoor to gain R/W access to the firmware by calling the "read_dword" and "write_dword" functions, respectively." The researchers tested his exploit only against the Wi-Fi firmware in iOS 10.2 but believe the exploit should also work on all versions of iOS up to 10.3.3. "However, some symbols might need to be adjusted for different versions of iOS, see 'exploit/symbols.py' for more information," Beniamini writes. Since there is no way to find out if your device is running the firmware version BCM4355C0, users are advised to update iPhones to iOS 11. Apple has also patched the issue in the most recent version of tvOS. Also, Google has addressed this issue on Nexus and Pixel devices, as well as Android devices earlier this month. However, Android users are required to wait for their handset manufacturers to push out the updates on their devices.
Google Discloses Critical Wi-Fi Flaws Affecting iOS, Android 26.9.2017 securityweek AndroidApple Google Project Zero has disclosed the details of two critical remote code execution vulnerabilities affecting the Broadcom Wi-Fi chips found in many Android and iOS devices.
The flaws, identified as CVE-2017-11120 and CVE-2017-11121, were patched in Android on September 5 with this month’s security updates and in iOS on September 19 with the release of iOS 11. tvOS versions prior to 11 are also impacted.
Until now, the only details known about these vulnerabilities were the fact that they are memory corruptions that could allow arbitrary code execution, and that they affect Broadcom Wi-Fi drivers.
Advisories made public late on Monday by Gal Beniamini of Google Project Zero provide additional details about the flaws and the Broadcom chips they affect.
“Broadcom produces Wi-Fi HardMAC SoCs which are used to handle the PHY and MAC layer processing. These chips are present in both mobile devices and Wi-Fi routers, and are capable of handling many Wi-Fi related events without delegating to the host OS,” the researcher explained.
The weakness tracked as CVE-2017-11120 is an out-of-bounds write issue that exists due to the way the Broadcom firmware handles the Neighbor Report Response frame of the Radio Resource Management standard. By injecting a large value into one of the buffers, an attacker within Wi-Fi range can achieve arbitrary code execution.
Beniamini said he found the problematic code in different versions of the Wi-Fi firmware, including on iPhone 7 and Samsung S7 Edge smartphones. The researcher has published a proof-of-concept (PoC) exploit for the iPhone 7. He believes the attack, which requires the targeted device to connect to a Wi-Fi network set up by the attacker, should work on all versions prior to iOS 11.
“Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” he explained.
The second flaw, CVE-2017-11121, allows remote code execution due to multiple buffer overflows when handling reassociation responses via the Fast BSS Transition feature. Beniamini has provided detailed technical information on how the vulnerability can be exploited, but he has not released an actual exploit.
This was not the first time Beniamini discovered critical Android and iOS vulnerabilities introduced by Broadcom Wi-Fi chips. In April, the researcher reported finding several remote code execution, privilege escalation and information disclosure flaws that could have been exploited without user interaction.
Another similar vulnerability, dubbed “Broadpwn,” was discovered earlier this year by Exodus Intelligence researcher Nitay Artenstein.
Apple Patches Vulnerabilities in macOS, macOS Server 26.9.2017 securityweek Apple Apple on Monday announced the release of security patches for its macOS users, available as part of the macOS High Sierra 10.13 platform upgrade.
The tech company addressed over 40 security flaws impacting OS X Lion 10.8 and later. Affected components include Application Firewall, AppSandbox, Captive Network Assistant, CoreAudio, Directory Utility, file, IOFireWireFamily, Kernel, libc, libexpat, Mail, ntp, Screen Lock, Security, SQLite, and zlib.
With 10 vulnerabilities addressed in it, ntp emerges as the most affected component, followed by file, with 6 security flaws, and SQLite with 5 vulnerabilities. These issues were addressed by updating to ntp version 4.2.8p10, file version 5.30, and SQLite version 3.19.3. Apple also addressed 4 bugs in zlib by updating it to version 1.2.11.
A flaw in AppSandbox could result in an application causing denial of service, while a bug in CFNetwork Proxies could allow an attacker in a privileged network position to cause a denial of service. An issue impacting Captive Network Assistant could result in a local user unknowingly sending a password unencrypted over the network.
A CoreAudio bug allowed an application to read restricted memory, while an issue in Directory Utility could allow a local attacker to determine the Apple ID of the owner of the computer. IOFireWireFamily bugs could allow attackers to execute arbitrary code, or applications to read restricted memory.
Other vulnerabilities could allow an attacker to impersonate a service or cause denial of service, an application to execute arbitrary code with kernel privileges, or the sender of an email to determine the IP address of the recipient. A bug in security could result in a revoked certificate to be trusted.
Apple also addressed a couple of issues in FreeRADIUS by updating it to version 2.2.10. macOS Server 5.4 was released for macOS High Sierra 10.13 to resolve these issues.
Also on Monday, Apple announced the release of iCloud for Windows 7.0 to resolve 22 vulnerabilities in only two components: SQLite and WebKit.
A single arbitrary code execution flaw was addressed in SQLite, while the remaining 21 vulnerabilities affected WebKit. These included issues that could lead to arbitrary code execution, universal cross site scripting, address bar spoofing, cross site scripting, or in the sending of cookies belonging to one origin to another origin.
Last week, Apple announced the availability of iOS 11 to resolve 8 vulnerabilities in the mobile OS. The platform was released along with Safari 11, which resolved 3 security flaws, and Xcode 9, which included patches for six bugs.
The tech company also released tvOS 11 to address 45 issues in the platform, and watchOS 4, which addressed 23 vulnerabilities.
Unsigned apps can dump the full OS keychain, including your plaintext passwords 26.9.2017 securityaffairs Apple
Hackers can steal macOS keychain passwords using unsigned applications, it works on the latest version of macOS, High Sierra 10.13, and previous releases. The cyber security expert Patrick Wardle, director of research at Synack, revealed that unsigned applications can steal macOS Keychain passwords from the latest version of macOS High Sierra and previous versions of macOS.
The researchers tested the exploit on Sierra and High Sierra, but he confirmed that El Capitan appears vulnerable as well. This issue is not a ‘High Sierra specific’ vulnerability.
The researchers shared a video that shows how an unsigned application can exfiltrate sensitive data from the macOS Keychain, including plaintext passwords.
“What does your attack do? A: I discovered a flaw where malicious non-privileged code (or apps) could programmatically access the keychain and dump all this data …. including your plain text passwords. This is not something that is supposed to happen! :(” explained Wardle.
patrick wardle ✔@patrickwardle on High Sierra (unsigned) apps can programmatically dump & exfil keychain (w/ your plaintext passwords)🍎🙈😭 vid: https://player.vimeo.com/video/235313957 #smh
11:54 AM - Sep 25, 2017 72 72 Replies 1,399 1,399 Retweets 1,295 1,295 likes Twitter Ads info and privacy It interesting to note that the attack does not require root permissions. The attack does require the knowledge of the master password, it only needs the targeted user to download and launched a malicious application, clearly ignoring the warnings displayed when an app from an unidentified developer is being executed.
“Q: What are the prerequisites for this attack? A: As this is a local attack, this means a hacker or piece of malware must first infect your your Mac! Typical ways to accomplish this include emails (with malicious attachments), fake web popups (“your Flash player needs updating”), or sometimes legitimate application websites are hacked (e.g. Transmission, Handbrake, etc). Theoretically, this attack would be added as a capability or as a payload of such malware. For example, the malware would persist, survey the system, then use this attack to dump the keychain. If I was writing a modular mac backdoor or implant, I’d call it the “dump keychain” plugin :)” added the expert.
Wardle reported the discovery to Apple along with a proof-of-concept (PoC) code, he avoided to publicly disclose technical details to prevent malicious actors from abusing the technique.
Security experts always recommend customers to download applications only from trusted sources and pay attention to the security warnings displayed by the operating system.
“A few things. As mentioned before, this attack is local, meaning malicious adversaries have to first compromise your mac in some way. So best bet – don’t get infected. This means run the latest version of macOS and don’t run random apps from emails or the web. Also, this attack requires that the keychain is unlocked. By default the keychain is unlocked when the user logs in. However, you can change the keychain password (so it is not automatically unlocked during login, or (via the Keychain Access app) lock the keychain while you are not using it. ” suggests Wardle to stay safe.
Unfortunately, Apple’s bug bounty program doesn’t cover macOS., this means that the expert will not be rewarded … let me hope that Apple will make an exception in this case.
Unsigned Apps Can Steal macOS Keychain Passwords 26.9.2017 securityweek Apple Just as Apple launched the latest version of macOS, High Sierra 10.13, a researcher published a video to show how unsigned applications can steal data from the operating system’s Keychain password management system.
Patrick Wardle, director of research at Synack, revealed on Monday that High Sierra and previous versions of macOS are vulnerable. The video made by the expert shows how an unsigned application can programmatically dump and exfiltrate sensitive data from the Keychain, including plaintext passwords, without needing the master password.
The attack does require the targeted user to download and execute a malicious application, and ignore the warnings displayed when a program from an unidentified developer is being launched. However, the attack does not require root permissions.
Apple has been informed of the vulnerability and provided proof-of-concept (PoC) code. Wardle has not made public any technical details to prevent malicious actors from exploiting the flaw.
Until a patch may become available, Apple has advised customers to download software only from trusted sources and pay attention to the security warnings displayed by the operating system.
Over the past years, researchers have found several vulnerabilities that could have allowed hackers to steal keychain secrets, and Apple, in most cases, released patches or made changes to prevent attacks.
This is not the only High Sierra vulnerability discovered by Wardle in recent weeks. Earlier this month, he demonstrated how attackers can bypass the new Secure Kernel Extension Loading (SKEL) security feature introduced in the latest version of macOS.
The researcher has found several vulnerabilities and design flaws in Apple software in recent years, including ways to bypass the Gatekeeper security system, abuse legitimate apps to spy on users, and conduct DLL hijacking attacks.
Threat Report Says 1 in 50 iOS Apps Could Leak Data 18.9.2017 securityweek Apple A new global threat report for the mobile ecosystem shows that iOS provides a bigger threat than is often perceived. While the insecurities of the Android operating system are well-documented, the report notes that 1 in 50 iOS apps used in enterprise environments could potentially leak sensitive data.
Zimperium, a firm that provides next-gen machine learning endpoint protection for mobile devices, published its Global Threat Report Q2-2017 (PDF) on Friday.
During the second quarter -- April 1 to June 30, 2017 -- Zimperium's telemetry detected three specific threat categories to the mobile ecosystem. It describes them as device threats and risks (such as unpatched vulnerabilities), network threats (threats delivered via the cell network), and app threats (malware, spyware, adware and leaky apps on devices).
The threat from vulnerabilities in the iOS and Android operating systems has grown dramatically over the last few years. In 2014, there were fewer than 200 CVEs registered. By 2016, this had rocketed to around 600. This year (2017) there have already been more CVEs registered than for the whole of 2016.
iOS Apps Could Leak DataIt is not the operating systems becoming less secure -- it is more likely that both attackers and researchers are paying greater attention because of the increasing use of both iOS and Android in the corporate environment. "Cyber criminals are more likely to take the path of least resistance," notes the report, "and enterprise data is most vulnerable via mobile devices since most of time spent is away from secure networks, on public Wi-Fi and on apps that IT and security do not control or administer." It adds that "U.S. consumers now spend over 5 hours per day on mobile devices."
Unpatched vulnerabilities are as much a threat to mobile devices as they are to traditional devices. Unsurprisingly, given the fragmented nature of the Android market, Zimperium found that 94% of Android devices are using an outdated version of the OS. More surprising, however, is that 23% of iOS devices are also outdated. Despite the more timely and simple update process for iOS, Zimperium found that 1 in 5 Apple devices had not been updated 45 days after the update was readily available.
"The most concerning risks associated with iOS devices were malicious configuration profiles and 'leaky apps'," says Zimperium. These could ultimately allow a remote connection to control the device or siphon data without the user's knowledge.
The most serious of the network threats comes from man-in-the-middle (MITM) attacks. Zimperium's telemetry shows that 5% of all devices detected an attacker's reconnaissance scan, and that 80% of these subsequently received a MITM attack. "This is the most severe type of network attack," says the report, "since it is usually invisible to a user. Unless a user has a mobile threat defense app that can detect the attack on his/her device in real-time (e.g., zIPS), their wireless connection can be rerouted to a proxy and their data may be compromised."
While the threat of malicious apps and malware on the Android ecosystem is well-known and chronicled, Zimperium found that the iOS ecosphere should not be considered secure. Zimperium's machine-learning anomaly detection engine scanned 50,000 iOS applications present on enterprise users' iOS devices.
While it found that only 1% of the Apple devices had malware present, it found that nearly 1 in 5 devices had apps able to retrieve private information like passwords and the device's Unique Device Identifier, UDID. It also found that approximately 3% of the apps were using weak encryption or hashing algorithms -- like MD2 -- and are not considered secure to pass private, payment data or in-app purchases.
Zimperium found seven specific iOS app threats: malware; keychain sharing; MD2 encryption; private frameworks; private info URL; UDID reading; and the ability to read private information during a public USB recharge. It found that 2.2% of the analyzed apps have at least one of these issues. "This is a significant concern to enterprises since 1 of 50 apps is potentially leaking data to third parties," says Zimperium.
Zimperium has raised $60 million through several rounds of funding since the company was founded in 2010.
Secure Kernel Extension Loading in macOS Easily Bypassed: Researcher
14.9.2017 securityweek Apple Apple's new Secure Kernel Extension Loading (SKEL) security feature, set to be implemented in the upcoming macOS 10.13 High Sierra, can be easily bypassed, a security researcher claims.
The issue, according to Patrick Wardle, Chief Security Researcher at Synack, is with the current implementation of the feature, which does almost nothing to stop hackers or malware, although it does hamper the efforts of third-party macOS developers such as those that design security products.
According to Wardle, while SKEL is designed to counter the direct loading of malicious kernel extensions such as rootkits, no signed kernel-mode macOS malware has emerged to date.
“Since OS X Yosemite, any kexts have to be signed with a kernel code-signing certificate. And unlike user-mode Developer IDs, Apple is incredibly ‘protective’ of such kernel code-signing certificates – only giving out a handful to legitimate 3rd-party companies that have justifiable reasons to create kernel code,” he points out.
Thus, SKEL’s main goal would be to block the loading of legitimate but (known) vulnerable kexts, given that attackers can exploit them to gain arbitrary code execution within the context of the kernel. Apple can blacklist these vulnerable kexts via the OSKextExcludeList dictionary, but the operation is often delayed, because it can break functionality until the user has upgraded to a non-blacklisted version of the kext.
According to Wardle, the exploitable kernel heap-overflow in Little Snitch’s kernel driver that he discovered last year, can be abused by a local privileged attacker to bypass macOS’s kernel code-signing requirements.
An attacker with root privileges can load a vulnerable copy of the LittleSnitch.kext (versions earlier than 3.61), which would be allowed, given that the vulnerable driver is still validly signed, and then exploit the heap-overflow to gain arbitrary code execution within the kernel. Next, the attacker can bypass system integrity protection (SIP), load unsigned kexts, and perform other nefarious operations.
SKEL can block the direct loading of maliciously signed kexts, but it is mainly designed to “thwart the loading of known vulnerable drivers for malicious purposes,” Wardle claims. Thus, when a signed third-party kernel extension is loaded on High Sierra for the first time, SKEL blocks it and alerts the user. The user, however, can manually approve the (signed) kernel extension to load.
However, the blocking doesn’t happen if the kernel extension was “already installed at the time of upgrading to macOS High Sierra,” if it is signed with the same Team ID as a previously approved extension, is “replacing a previously approved extension,” or is being loaded on a Mac that is enrolled with an MDM solution.
The researcher discovered that, when blocking the kext and alerting the user, the system policy daemon accesses a ‘kernel policy’ database, and notes that this is what tells SKEL to block or allow the loading. Due to an implementation vulnerability in SKEL, Wardle was able to load a new unapproved kext, without user interaction.
Wardle didn’t provide technical details on the vulnerability as of now, but did publish a demo of a full SKEL bypass. He says that High Sierra’s SKEL’s flawed implementation is a perfect example of how new security features can often just complicate the lives of third-party developers.
“Of course though, as attackers we have the easier job – a single implementation flaw in SKEL may allow us to fully bypass it. Apple on the other hand, has to protect against everything,” the researcher points out.
Apple Brings FaceID to New iPhone X
14.9.2017 securityweek Apple iPhone X Uses Facial Recognition to Unlock Device, Apple Says 1 in 1,000,000 Chance of False Positive
At the Apple Special Event 2017, Apple announced on Tuesday three new iPhones (X, 8 and 8 Plus), the Apple Watch Series 3, the new Apple TV 4K -- and new software in the form of iOS 11 and WatchOS 4. Star of the show, however, is the new iPhone X (pronounced 'ten') that marks the tenth anniversary of the birth of iPhones.
As with many things Apple, the iPhone X capabilities range from the sublime to the ridiculous: from new facial biometric unlocking to user emotion-matching emojis. Both come courtesy of the new front-facing camera system that continuously scans the user's face.
From a security perspective, the key elements include ditching the Home key and fingerprint access for facial access, and a new requirement for a passcode to be entered before the iPhone can be connected to an external device (such as, for example, a forensic scanning system).
FaceID on iPhoneXFacial recognition is not new to mobile phones; but early attempts could sometimes be circumvented by presenting a photograph of the genuine user. Apple claims that this will not work.
The iPhone X uses a TrueDepth camera system combined with a series of sensors (including proximity and ambient light) at the top of the front of the phone. Coupled with infra-red capabilities and an internal neural engine, the iPhone can recognize its owner with only 1 in 1,000,000 false positives, day or night. This compares to just 1 in 50,000 false positives for the earlier TouchID fingerprint access.
At one level, this would seem to solve law enforcement's problem in accessing a suspect's iPhone. While it would be possible to physically force a suspect to present a finger to TouchID (with varying degrees of legality, and possibly the wrong finger), the X merely needs to 'see' the suspect's face.
However, this is offset by an additional feature in the iOS 11 software: any attempt to connect the iPhone to an external device will now require an extra passcode. So, while it may be easier for law enforcement to access what is visible on the phone itself, it will be much harder to attach an external device, such as a PC, to allow full forensic investigation of the phone.
For now, we only know what Apple has told us -- so we don't know how subtle or nuanced the facial recognition can become. We are told that, courtesy of the neural engine, the system gets better over time at recognizing its user, and can adapt to recognize changes (such as aging). We are told that wearing a hat or growing a beard will not confuse it.
But we don't know whether it can detect specific emotions, such as fear, that could be used as a panic button. Without an obvious and clear panic button, there is a danger that violence in phone thefts could escalate -- physical thieves could use physical force against the user to both steal and unlock the phone. Tapping the side power button five times in rapid succession will disable FaceID, but it is debatable whether a user under duress would have either the time or composure to do this.
It is possible, of course, that an emotional panic button could be introduced since the new user-imitating animated emojis are based on the user's emotions, as scanned by the TrueDepth camera.
On the surface, it appears as if the iPhone X's security systems are fairly robust and well-planned. As soon as the model becomes available in November, we will learn how well these theories will stand against sophisticated hackers who will seek kudos as the first person or group to break into an iPhone X. "While it is difficult to replicate the facial features of a user," comments Stephen Cox, chief security architect at SecureAuth, "early attempts at this technology in consumer devices were easily defeated by simply placing a picture of the user's face in front of the camera. The iPhone X has 3D capabilities that can judge distance, a mitigation for this vulnerability. It remains to be seen how effective it is, but you can bet that the hacker community will fervently try to defeat it."
"We will not know of the quality of Apple’s FaceID facial scanning until the security community tests it, but the combination of an IR sensor and camera makes this system quite accurate and difficult to trick," Corey Nachreiner, CTO at network security firm WatchGuard Technologies, told SecurityWeek.
"Whatever factors you chose," Nachreiner says, "I strongly believe in multifactor authentication. Whether it’s fingerprints or facial scans, bad actors will continually find ways around different identity tokens, even biometric ones. You get strong security by layering multiple tokens (i.e. a password and a facial scan)."
Nachreiner also reminds that your iPhone would have a 3D model of your face. "I’m sure Apple is taking good steps to secure it on the device, but it is technically a valuable new piece of data on your mobile for future attackers to target," he said.
Meanwhile, it is worth noting Edward Snowden's Twitter comment: Good, "Design looks surprisingly robust"; bad, "Normalizes facial scanning, a tech certain to be abused."
As long ago as 2004, the then UK Information Commissioner, Richard Thomas, warned that Britain was in danger of sleepwalking into a surveillance society. Snowden fears that by making facial scanning part of everyday life, the public will accept its use in more and more privacy-invasive applications -- both state and commercial.
Beware! Viral Sarahah App Secretly Steals Your Entire Contact List
29.8.2017 thehackernews Apple Are you also one of those 18 Million users using SARAHAH? You should beware of this app because the anonymous feedback application may not be as private as it really sounds. Sarahah is a newly launched app that has become one of the hottest iPhone and Android apps in the past couple of weeks, allowing its users to sign up to receive anonymised, candid messages from other Sarahah users. However, it turns out that the app silently uploads users' phone contacts to the company's servers for no good reason, spotted by security analyst Zachary Julian. When an Android or iOS user downloads and installs the app for the first time, the app immediately harvests and uploads all phone numbers and email addresses from the user's address book, according to The Intercept. While an app requesting access to the user's phonebook is quite common if the app provides any feature that works with contacts, no such functionality in Sarahah is available right now. "The privacy policy specifically states that if it plans to use your data, it'll ask for your consent, while the app's entry in Google's Play Store does indicate the app will access contacts, that's not enough consent to justify sending all of those contacts over without any kind of specific notification" However, the creator of Sarahah, Zain al-Abidin Tawfiq, responded to the story by saying his app actually harvests and uploads the contacts from users to the company's servers for a feature that will be implemented at a later time.
Tawfiq said that users' contact lists are being uploaded "for a planned 'find your friends' feature," which was "delayed due to a technical issue" and was accidentally not removed from the Sarahah's current version. Tawfiq also assured its users that "the data request will be removed on next update" to the app and that Sarahah's servers do not "currently host contacts," which is, of course, impossible to verify. Sarahah took the Internet by storm within few weeks, making the app the third most downloaded free application software for iPhones and iPads. The app has already been downloaded by an estimated 18 Million users from Apple and Google’s online stores. However, you can still use Sarahah by blocking the app from accessing your contacts, without risking your contacts to be uploaded to its servers. Since newer Android operating systems (starting with Android 6.0 Marshmallow) do allow users to limit permissions for apps, users can limit permissions so that apps do not gain access to contacts or other information that doesn't have anything to do with the app's functioning. To do so, Go to Settings → Personal → Apps, now under Configuration App, open App permission and limit permission of apps you like.
Beware of Windows/MacOS/Linux Virus Spreading Through Facebook Messenger
25.8.2017 thehackernews Apple If you came across any Facebook message with a video link sent by anyone, even your friend — just don’t click on it. Security researchers at Kaspersky Lab have spotted an ongoing cross-platform campaign on Facebook Messenger, where users receive a video link that redirects them to a fake website, luring them to install malicious software. facebook-virus-hacking-account-malware Although it is still unclear how the malware spreads, researchers believe spammers are using compromised accounts, hijacked browsers, or clickjacking techniques to spread the malicious link. The attackers make use of social engineering to trick users into clicking the video link, which purports to be from one of their Facebook friends, with the message that reads "< your friend name > Video" followed by a bit.ly link, as shown. Here's How this Cross-Platform Malware Works: The URL redirects victims to a Google doc that displays a dynamically generated video thumbnail, like a playable movie, based on the sender's images, which if clicked, further redirects users to another customised landing page depending upon their browser and operating system. For example, Mozilla Firefox users on Windows are redirected to a website displaying a fake Flash Player Update notice, and then offered a Windows executable, which is flagged as adware software. Google Chrome users are redirected to a website that masquerades as YouTube with similar YouTube logo, which displays a fake error message popup, tricking victims into downloading a malicious Chrome extension from the Google Web Store. The extension actually is a downloader that downloads a file of attacker's choice to the victim's computer. "At the time of writing, the file which should have been downloaded was not available," David Jacoby, a chief security researcher from Kaspersky Lab, writes in a blog post published today. "One interesting finding is that the Chrome Extension has log files from the developers displaying usernames. It is unclear if this is related to the campaign, but it is still an amusing piece of information." Users of Apple Mac OS X Safari ends up on a web page similar to when using Firefox, but it was customised for MacOS users with a fake update for Flash Media Player, which if clicked, downloads an OSX executable .dmg file, which is also adware. Same in case of Linux, user redirects to another landing page designed for Linux users. The attackers behind the campaign are not actually infecting users of all platform with any banking Trojan or exploit kits, but with adware to make a lot of money by generating revenue from ads. Spam campaigns on Facebook are quite common. A few years ago, researchers found cyber criminals using boobytrapped .JPG image files to hide their malware in order to infect Facebook users with variants of the Locky ransomware, which encrypts all files on the infected PC until a ransom is paid. To keep yourself safe, you are advised not to get curious to look at images or video links sent by anyone, even your friend, without verifying it with them, and always keep your antivirus software up-to-date.
Decryption Key for Apple's SEP Firmware Posted Online
18.8.2017 securityweek Apple What appears to be the decryption key for Apple's Secure Enclave Processor (SEP) firmware was posted online by a hacker going by the name of xerub.
A coprocessor fabricated in the Apple S2, Apple A7, and later A-series CPUs, SEP uses encrypted memory, has a hardware random number generator and “provides all cryptographic operations for Data Protection key management and maintains the integrity of Data Protection even if the kernel has been compromised,” Apple explains in the iOS Security Guide.
At startup, the device creates an ephemeral key entangled with the UID (Unique ID), and uses it to encrypt the Secure Enclave’s portion of memory space. The key is also used to authenticate the Secure Enclave (except on Apple A7). Apple also explains that data “saved to the file system by the Secure Enclave is encrypted with a key entangled with the UID and an anti-replay counter.”
SEP uses its own secure boot and securely generates the UID on A9 or later A-series processors. Because SEP handles Touch ID transactions, password verification, and other security processes, along with the generation of the device's UID, it is critical to iOS’ security and the public availability of the decryption key could spell disaster.
Despite publishing the decryption key (tools needed to decrypt the key are available in this GitHub repository, while those needed to process it are available in this one), xerub didn’t provide details on the decryption process.
The availability of the key, however, doesn’t appear to affect the overall security of the enclave, and even the hacker suggested that SEP doesn’t add much to security, despite its “black box” design. While the key would allow for the decryption of the firmware, it wouldn’t provide access to user data.
While researchers could only speculate what was happening inside the Secure Enclave until now, the availability of this key could shed some more light into the matter. In addition to security researchers, hackers too could start looking for vulnerabilities in SEP, in an attempt to devise new exploits to bypass authentication or generate fraudulent transactions.
SecurityWeek has contacted Apple for a comment on this and will update the story if a response arrives.
Hacker published the decryption key for the Apple Secure Enclave security chip 18.8.2017 securityaffairs Apple
A hacker Thursday afternoon published what he claims to be the decryption key for Apple iOS’ Secure Enclave Processor (SEP) firmware. The Apple Secure Enclave is an ARM-based coprocessor that enhances iOS security, but on Thursday a hacker published what he says is the decryption key for Apple iOS’ Secure Enclave Processor (SEP) firmware.
According to Apple technical documentation, the Secure Enclave coprocessor is built into Apple S2 (Watch Series 2), A7 (iPhone 5S, iPad Air, Mac Mini 2 and 3), and subsequent A-series chips.
The coprocessor generates the Unique ID (UID) number and keeps it segregated from the rest of iOS for all devices powered by the A9 (iPhone 6S, 6S Plus, SE, and 2017 iPad) and later generations of silicon,
The Secure Enclave also handles the authentication process based on fingerprint gathered through the device’s Touch ID sensor.
The hacker, who goes online with the moniker “xerub” explained that the decryption key unlocks only the SEP firmware, and not user data. xerub published the key also on GitHub and to the community website iPhone Wiki.
“Everybody can look and poke at SEP now,” xerub said.
Follow ~ @xerub key is fully grown https://www.theiphonewiki.com/wiki/Greensburg_14G60_%28iPhone6,1%29 … use https://github.com/xerub/img4lib to decrypt and https://gist.github.com/xerub/0161aacd7258d31c6a27584f90fa2e8c … to process 9:01 PM - Aug 16, 2017 Photo published for xerub/img4lib xerub/img4lib image4 vfs. Contribute to img4lib development by creating an account on GitHub. github.com 4 4 Replies 130 130 Retweets 198 198 likes Twitter Ads info and privacy The key allows to decrypt and explore the encrypted firmware code, a gift for experts and hackers that can have more information about the iOS platform.
Using the key in conjunction with xerub’s img4lib it is possible to decrypt an iPhone 5s IMG4 SEP (Secure Enclave Processor) firmware image. The decrypted data can be analyzed with a tool called sepsplit to extract the executable binaries from the image.
Since the release of the iPhone 5s in 2013, Apple has introduced many security improvements and others are announced with the forthcoming devices and OS 11.
At the 2016 Black Hat, a group of security researchers made an interesting presentation on the Apple’s Secure Enclave providing some high-level technical details about its design and security features.
Gmail for iOS Adds Anti-Phishing Feature that Warns of Suspicious Links
15.8.2017 thehackernews Apple Phishing — is an older style of cyber-attack but remains one of the most common and efficient attack vectors for attackers, as a majority of banking malware and various ransomware attacks begin with a user clicking on a malicious link or opening a dangerous attachment in an email. Phishing has evolved than ever before in the past few years – which is why it remains one of those threats that we have been combating for many years. We have seen phishing campaigns that are so convincing and effective that even tech-savvy people can be tricked into giving away their credentials to hackers. And some that are "almost impossible to detect" and used to trick even the most careful users on the Internet. To help combat this issue, Google has introduced a security defence for it's over a billion users that will help users weed out phishing emails from their Gmail inbox. Google has rolled out new anti-phishing security checks for its Gmail app for iPhone users that will display a warning about potential phishing attempts when users click on a suspicious link from within the app on their iPhone or iPad. This new feature will take nearly two weeks before it is available everywhere. According to the tech giant, when a user clicks on a link that Google thinks could be suspicious, they will be displayed a pop-up, warning of an untrusted nature of the website they are attempting to visit. Suspicious link This link leads you to an untrusted site. Are you sure you want to proceed to example.com? If the user ignores this first warning and continue, the Gmail app will display another warning with more detailed information about the suspected malicious website that the company finds it to be a malicious phishing page. Warning – phishing (web forgery) suspected The site you are trying to visit has been identified as a forgery, intended to trick you into disclosing financial, personal or other sensitive information. You can continue to example.com at your own risk. A similar feature has already been made available in the Gmail app for Android since May of this year. Although the feature would surely not detect every phishing attempt that could compromise your credentials, we believe it will help users combat such attacks to much extent. So, always exercise caution over what links you click mentioned in your emails or attachments you open. Additionally, Gmail users need to enable two-factor authentication, so even if attackers have access to your credential, they will not be able to proceed further without your phone or the USB cryptographic key in order to access your account.
MUGHTHESEC, a signed Mac adware that hijacks the victim’s browser for profit 14.8.2017 securityaffairs Apple
Experts spotted a new signed Mac adware dubbed MUGHTHESEC that hijacks victim’s browser for profit and can be removed only reinstalling the OS. According to the expert Patrick Wardle, Director of Research at Synack, a new strain of Mac adware is threatening Mac users, once infected a machine the only way to remove it is to reinstall the macOS.
The researcher and Mac expert Thomas Reed, speculate the new family of Mac adware dubbed Mughthesec is an improved version of the well known OperatorMac family.
7 Aug Gavriel State @gavrielstate Replying to @patrickwardle @thomasareed Hi Patrick - sent you a zip file in email. Yes, there was a launchagents plist in there, but I killed it before archiving. Follow Thomas Reed @thomasareed Thanks, Patrick sent me the hash too. Looks like a new variant of something we call OperatorMac (though that may be a bad name). 2:30 AM - Aug 8, 2017 1 1 Reply Retweets likes Twitter Ads info and privacy Other malware experts claim the threat has been in the wild at least since six months, but the detection rate on VirusTotal is still low. Follow Objective-See @objective_see Made it to blog post #32! 😍 Read: "WTF is Mughthesec!? Poking on a Piece of Undetected Adware" 👾☠️🍎 https://objective-see.com/blog/blog_0x20.html … #adware #malware 8:54 PM - Aug 8, 2017 1 1 Reply 35 35 Retweets 29 29 likes Twitter Ads info and privacy The Mac Malware has been improved across the months, new features were implemented such as an MAC-address-based anti-VM detection system and components of Mughthesec are signed with a legitimate Apple developer certificate allowing it to bypass the Gatekeeper protection that normally prevents the installation of unsigned applications.
“In a nutshell, I think the issue isn’t that anything here is incredible new or exciting; more that existing security/mitigation strategies are rather failing miserably,” Wardle explained. “So we’ve got Gatekeeper that’s designed to block unsigned code from the internet to prevent users from getting tricked into installing malware (e.g. fake flash updaters)….which is a great idea. But now most Mac adware/malware is just signed with certs. So gatekeeper is basically a moot point. Normal-everyday users are still going to go around infecting themselves…and things designed to protect them; Gatekeeper/AV etc, really don’t offer any help.”
The adware is currently delivered as a file called Player.dmg that installs a legitimate version of the Adobe Flash Player for Mac, but also an unwanted app named Advanced Mac Cleaner, and two Safari extensions named Safe Finder and Booking.com.
“The PUPs are in my opinion, rather shady. I mean they automatically install browser plugins circumventing Apple’s security mechanisms in Safari,” Wardle said. “So sure, they ask for user permission to be installed during install, but then do things that generally the user probably doesn’t want. It’s that gray area between legit code and malware.”
Patrick Wardle believes the malware is spread via malvertising campaigns or via malicious ads and popups on shady websites. “Either way, user-interaction is likely required [for both the download and installation],” says Wardle.
Patrick Wardle described the threat with the following statement from his post published on the Objective-See blog. “What is Mughthesec?” The answer; likely a new variant of the ‘SafeFinder/OperatorMac’ adware. Yes it’s rather unsophisticated macOS malware, but it’s installer is signed (to ‘bypass’ Gatekeeper) and at the time of this analysis no anti-virus engines were detected it….and mac users are being infected 😐 Speaking of infection, due to the fact that the installer is masquerading as Flash Player installer, it’s likely that this adware is relying on common infection techniques to gain new victims. If I had to guess its infection vector is likely one (or all?) of the following: fake popups on ‘shady’ websites malicious ads, perhaps on legit websites. Either way, user-interaction is likely required. “
The malware, once installed, hijacks the victim’s browser for profit.
“A common tactic of adware is to hijack the victim’s browser (homepage, inject ads, etc) for financial gain,” Wardle said. “Mughthesec (which is installed when the user ‘agrees’ to install ‘Safe Finder’) appears to conform to goal.”
“If we open Safari; indeed the home page has been hijacked–though in a seemingly innocuous way,” Wardle said, adding that he did not test the sample on Google’s Chrome browser. “It simply displays a rather ‘clean’ search page—though looking at the source, we can see the inclusion of several scripts ‘Safe Finder’ scripts.”
Wardle highlighted that other files dropped by the adware on infected hosts allow the malware operator to drop other malicious payloads.
The presence of the Mughthesec infection must alert Mac users that will never know if other malware has been installed by crooks along with the adware, and for this reason, they should reinstall their Mac.
Apple Removes Some VPN Services From Chinese App Store
31.7.2017 securityweek Apple Apple has removed software allowing internet users to skirt China's "Great Firewall" from its app store in the country, the company confirmed Sunday, sparking criticism that it was bowing to Beijing's tightening web censorship.
Chinese internet users have for years sought to get around heavy internet restrictions, including blocks on Facebook and Twitter, by using foreign virtual private network (VPN) services.
Beijing mandated in January that all developers must obtain government licenses to offer VPNs, leading to the Apple decision.
Apple Removes VPN Apps from App Store
"We have been required to remove some VPN apps in China that do not meet the new regulations," Apple told AFP in a statement Sunday.
"These apps remain available in all other markets where they do business."
Two major providers, ExpressVPN and Star VPN, said on Saturday that Apple had notified them that their products were no longer being offered in China. Both firms decried the move.
"Our preliminary research indicates that all major VPN apps for iOS have been removed," ExpressVPN said in a statement, calling Apple's move "surprising and unfortunate".
"We're disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China's censorship efforts," it added.
Star VPN wrote on Twitter: "This is very dangerous precedent which can lead to same moves in countries like UAE etc. where government control access to internet."
China has hundreds of millions of smartphone users and is a vital market for Apple, whose iPhones are wildly popular in the country.
The company unveiled plans earlier this month to build a data centre in China to store its local iCloud customers' personal details.
While China is home to the world's largest number of internet users, a 2015 report by US think tank Freedom House found that the country had the most restrictive online use policies of 65 nations it studied, ranking below Iran and Syria.
But China has maintained that its various forms of web censorship are necessary for protecting its national security.
The national VPN crackdown comes after the passing of a controversial cybersecurity bill last November that tightened restrictions on online freedom of speech and imposed new rules on service providers.
Since the regulation took effect this June, authorities have closed dozens of celebrity gossip blogs and issued new rules around online video content to eliminate programs deemed offensive.
Apple removed iOS VPN apps from Chinese App Store in compliance to censorship law 31.7.2017 securityaffairs Apple
In compliance with Chinese Internet monitoring law, Apple has started removing all IOS VPN apps from it App Store in China. The company complies with a request from the Chinese Government that wants to strict censorship making it harder for netizens to bypass the Great Firewall system (aka Golden Shield project).
The Golden Shield project allows China to censor Internet and block access to major foreign websites in the country, it is already blocking some 171 out of the world’s 1,000 top websites, including Google, Facebook, Twitter, and Dropbox.
In a blog post, the developers at VPN service provider ExpressVPN reported how the tech giant Apple informed them that their VPN app had been removed from the official Chinese App Store.
“We received notification from Apple today, July 29, 2017, at roughly 04:00 GMT, that the ExpressVPN iOS app was removed from the China App Store. Our preliminary research indicates that all major VPN apps for iOS have been removed.” reads the blog post.
“Users in China accessing a different territory’s App Store (i.e. they have indicated their billing address to be outside of China) are not impacted; they can download the iOS app and continue to receive updates as before.”
The same thing is happening to all major VPN providers that are receiving a similar notice from Apple.
To bypass Chinese censorship, citizens use virtual private networks (VPNs), but earlier this year, China increased the pressure on VPN service providers making it mandatory for them to be authorized by local authorities.
The decision to ban VPN services and proxies is part of the “clean-up” of China’s Internet connections launched by the Ministry of Industry and Information Technology.
“We’re disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China’s censorship efforts,” continues ExpressVPN statement. Another VPN service provider, Star VPN, also received same notice from Apple. “We are writing to notify you that your application will be removed from the China App Store because it includes content that is illegal in China,” Apple said in the notice. “We know this stuff is complicated, but it is your responsibility to understand and make sure your app conforms with all local laws.” A few weeks ago, Apple announced it is setting up its first data center in China in the southern province of Guizhou to comply with new Government cyber security laws that request tech giants to store data related to Chinese customers locally.
Apple removes VPN Apps from the China App Store 30.7.2017 thehackernews Apple In order to comply with Chinese censorship law, Apple has started removing all virtual private network (VPN) apps from the App Store in China, making it harder for internet users to bypass its Great Firewall. VPN service providers that provide services in China has accused the United States tech giant of complying with Chinese stringent cyberspace regulations. In a blog post, the developers of ExpressVPN reported that Apple informed them that their VPN app had been pulled from the company's Chinese App Store, and it seems all major VPN clients have received the same notice from Apple. China has strict Internet censorship laws through the Great Firewall of China – the country's Golden Shield project that employs a variety of tricks to censor Internet and block access to major foreign websites in the country. The Great Firewall is already blocking some 171 out of the world's 1,000 top websites, including Google, Facebook, Twitter, Dropbox, Tumblr, and The Pirate Bay in the country. Therefore, to thwart these restrictions and access these websites, hundreds of millions of Chinese citizens use virtual private networks (VPNs) that encrypt their online traffic and route it through a distant connection. However, earlier this year, China announced a crackdown on VPNs and proxy services in the country and made it mandatory for all VPN service providers and leased cable lines operators to have a license from the government to use such services. This 14-month-long crackdown on the use of unsupervised internet connections, including VPNs was launched by the country's Ministry of Industry and Information Technology, who called it a "clean-up" of China's Internet connections. Now, ExpressVPN received a notice from Apple that its app would be removed from the China-based App Store "because it includes content that is illegal in China." "We're disappointed in this development, as it represents the most drastic measure the Chinese government has taken to block the use of VPNs to date, and we are troubled to see Apple aiding China's censorship efforts," ExpressVPN said in a statement. Not just ExpressVPN alone, but another VPN service provider, Star VPN, also received same notice from Apple, the company confirmed via its official Twitter account on Saturday. "We are writing to notify you that your application will be removed from the China App Store because it includes content that is illegal in China," Apple said in the notice. "We know this stuff is complicated, but it is your responsibility to understand and make sure your app conforms with all local laws." Although Apple did not comment on this issue, it is no coincidence, as the company has severely been implementing various aspects of Chinese law in recent months for its regional operations in the most populated country. Earlier this year, Apple removed the New York Times (NYT) app from its Chinese App Store because the app was in "violation of local regulations." The tech giant has even partnered with a local firm in the southwestern province of Guizhou earlier this month to set up its first data centre in China, which will store all user information for Chinese customers.
BlackHat 2017 – Positive Technologies researcher claims ApplePay vulnerable to two distinct attacks 29.7.2017 securityaffairs Apple
BlackHat 2017 – Security expert at Positive Technologies claims ApplePay vulnerable to two distinct attacks. At the Black Hat USA hacking conference, security researchers from Positive Technologies announced to have devised two distinct attacks against ApplePay exploiting weaknesses in the mobile payment method.
ApplePay is considered today one of the most secure payment systems, but Positive Technologies claimed it had discovered two potential attack vectors.
“With wireless payments – PayPass, ApplePay, SamsungPay, etc, there is a perception that ApplePay is one of the most secure systems. ApplePay’s security measures mean that it has a separate microprocessor for payments [Secure Enclave], card data is not stored on the device nor is it transmitted in plaintext during payments.” said Timur Yunusov, head of banking security for Positive Technologies.
“During testing, I have discovered at least two methods that render these precautions worthless. While one relies on the device being jailbroken, which is estimated at 20 percent* and is a practice that the security community opposes, another is against a device that is ‘intact.’ Attackers can either register stolen card details to their own iPhone account, or they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments directly from the victim’s phone.”
A first attack presented in a talk by Yunusov requires a jailbroken device to work, this means that attackers have to infect a jailbroken device with malware. Once infected the mobile, the attackers can intercept the payment data to an Apple server. Once hackers have successfully infected the device with malware having root privileges, they have reached their goal.
The second attack doesn’t request a jailbroken because hackers intercept and/or manipulate SSL transaction traffic. The attackers tamper with transaction data, for example by changing the amount or currency being paid or the delivery details for the goods being ordered.
Attackers can register stolen card details to their own iPhone account to make payments on behalf of the victims, they can intercept the SSL traffic between the device and the Apple Server to make fraudulent payments.
“The first step in the second attack is for hackers to steal the payment token from a [targeted] victim’s phone. To do that, they will use public Wi‑Fi, or offer their own ‘fake’ Wi‑Fi hotspot, and request users create a profile. From this point they can steal the ApplePay cryptogram [the key to encrypting the data].Apple states that the cryptogram should only be used once. However, merchants and payment gateways are often set up to allow cryptograms to be used more than once.” Positive Technologies explained to El Reg.
“As the delivery information is sent in cleartext, without checking its integrity, hackers can use an intercepted cryptogram to make subsequent payments on the same website, with the victim charged for these transactions.”
The experts highlighted that there are some limitations to the attack, for example, the victim will receive a notification about the transaction as soon as it is made, this means that they can immediately block their card.
Researchers recommend to avoid using ApplePay to purchase items online on websites that don’t use the “https” and to avoid making transactions in public Wi‑Fi networks where the attackers can easily eavesdrop the traffic.
“The advice, as always, is to avoid jailbreaking a device in the first instance,” said Yunusov who added, “Another precaution is for users to avoid downloading unnecessary applications which will help prevent malware from being added to the device.”
Positive Technology already reported its findings to Apple, but it warns that the development of patches will be no simple due to the significant impact on any components of the security chain.
Apple Users, Beware! A Nearly-Undetectable Malware Targeting Mac Computers 26.7.2017 thehackernews Apple Yes, even Mac could also get viruses that could silently spy on its users. So, if you own a Mac and think you are immune to malware, you are wrong. An unusual piece of malware that can remotely take control of webcams, screen, mouse, keyboards, and install additional malicious software has been infecting hundreds of Mac computers for more than five years—and it was detected just a few months back. Dubbed FruitFly, the Mac malware was initially detected earlier this year by Malwarebytes researcher Thomas Reed, and Apple quickly released security patches to address the dangerous malware. Now months later, Patrick Wardle, an ex-NSA hacker and now chief security researcher at security firm Synack, discovered around 400 Mac computers infected with the newer strain of the FruitFly malware (FruitFly 2) in the wild. Wardle believes the number of infected Macs with FruitFly 2 would likely be much higher, as he only had access to some servers used to control FruitFly. Although it is unknown who is behind FruitFly or how the malware gets into Mac computers, the researchers believe the nasty malware has been active for around ten years, as some of its code dates back to as far as 1998. "FruitFly, the first OS X/macOS malware of 2017, is a rather intriguing specimen. Selectively targeting biomedical research institutions, it is thought to have flown under the radar for many years," Wardle wrote in the abstract of his talk, which he is going to present at the Black Hat later this week. Since the initial infection vector for FruitFly is unclear, like most malware, Fruitfly could likely infect Macs either through an infected website delivering the infection or via phishing emails or a booby-trapped application. FruitFly is surveillance malware that's capable of executing shell commands, moving and clicking a mouse cursor, capturing webcam, killing processes, grabbing the system's uptime, retrieving screen captures, and even alerting the hacker when victims are again active on their Mac. "The only reason I can think of that this malware has not been spotted before now is that it is being used in very tightly targeted attacks, limiting its exposure," Reed wrote in the January blog post. "Although there is no evidence at this point linking this malware to a specific group, the fact that it has been seen specifically at biomedical research institutions certainly seems like it could be the result of exactly that kind of espionage." Wardle was able to uncover FruitFly victims after registering a backup command and control (C&C) server that was once used by the attacker. He then noticed around 400 Mac users infected with FruitFly started connecting to that server. From there, the researcher was also able to see IP addresses of FruitFly infected victims, indicating 90 percent of victims were located in the United States. Wardle was even able to see the name of victims' Macs as well, making it "really easy to pretty accurately say who is getting infected," he told Forbes. But rather than taking over those computers or spying on the victims, Wardle contacted law enforcement and handed over what he found to law enforcement agents, who are now investigating the matter. Wardle believes surveillance was the primary purpose of FruitFly, though it is yet unclear whether it is government or other hacker groups. "This did not look like cyber crime type behaviour; there were no ads, no keyloggers, or ransomware," Wardle said. "Its features had looked like they were actions that would support interactivity—it had the ability to alert the attacker when users were active on the computer, it could simulate mouse clicks and keyboard events." Since the Fruitfly's code even includes Linux shell commands, the malware would work just fine on Linux operating system. So, it would not come as a surprise if a Linux variant of Fruitfly was in operation.
Georgian News Site Serves New Version of Old Mac Trojan
Researchers at security firm Volexity noticed that the website of a media organization based in the country of Georgia had been serving a new version of an old Mac Trojan to specific visitors.
According to experts, the compromised news website has English, Russian and Georgian sections, but only the Georgian language pages appeared to deliver the malware. The threat is a new version of OSX/Leverage, a backdoor first spotted back in 2013.
Interestingly, not all visitors were targeted. JavaScript code planted on the site profiled each user and only served the malware if certain conditions were met. The malware was pushed only to devices whose user agent showed that the victim accessed the site from a Mac and a web browser other than Chrome.
The script also checked cookies to determine if the user had previously visited the website and analyzed the malicious JavaScript code. If a returning user is detected, the exploitation chain is terminated.
If all the conditions are met and the potential victim is using the Safari browser from a Mac computer, an iframe is loaded and a fake Adobe website is displayed. The site is designed to trick users into downloading a fake Flash Player critical update.
The malicious Flash Player update is delivered via a Metasploit module that abuses Safari functionality to force the download and execution of an OS X application. However, the victim still needs to allow the execution of the file when prompted or manually execute it from the Downloads folder.
Once executed, the malware creates a Launch Agent for persistence and opens the genuine Adobe Flash Player website to avoid raising suspicion. The backdoor contacts its command and control (C&C) server and sends it information about the infected system.
“Unlike the earlier version of the malware, this new version does not limit itself to a predefined set of commands and instead allows an unrestricted command shell capability back into an infected system,” Volexity researchers said in a blog post.
The new version of the Leverage malware, which was also spotted by Sophos earlier this month, is signed with an Apple code signing certificate issued to a developer apparently named “Aleks Papandopulo.”
The first version of Leverage had been disguised as an image file and in some cases it downloaded a logo of the Syrian Electronic Army hacker group onto compromised machines.
Interestingly, Volexity has discovered a link between an IP address associated with one of the domains serving the new version of Leverage and Stantinko, a recently uncovered botnet that has powered a massive adware campaign since 2012. The Stantinko operation has mainly targeted Russia and Ukraine.
Fruitfly macOS and OS X backdoor remained undetected for years 26.7.2017 securityaffairs Apple
A new mysterious strain of macOS and OS X malware dubbed Fruitfly went undetected by malware researchers and security software for at least five years. Fruitfly is a backdoor that could be used by attackers to gain full control over the infected systems by implementing many spying features.
Fruitfly has the ability to capture screenshots, keystrokes, webcam images, and steal data from the infected Mac.
Patrick Wardle, chief security researcher at Synack and former NSA analyst, has analyzed a sample of the malware and will present his findings this week at the hacking conference Black Hat.
The expert has built a custom command and control server to examine the FruitFly backdoor, he announced the release a number of tools used for his analysis, including a user-mode process monitor.
It has been estimated that the number of infected devices is roughly 400 and likely much higher.
““[FruitFly] was designed in a way to be interactive,” explained Wardle “This can move the mouse, generate presses and interact with the UI elements of the operating system.””
The FruitFly sample analyzed by Patrick Wardle is a variant of a malware that was spotted in January by experts at Malwarebytes after being undetected for at least two years.
After the discovery of the malware in January, Apple updated macOS to automatically detect the malware, but the strain of malware found by Wardle remained undetected by macOS security system and antivirus products.
The Fruitfly malware relies on functions that were deprecated long ago and uses a crude method to gain persistence. Compared to other Mac malware it is much easier to detect.
A submission to the VirusTotal malware detection service shows that only 22 out of 57 Antivirus are able to detect the malware.
The analysis of the malware allowed Wardle to decrypt several backup domains that were hardcoded, and the good news is that the domains remained available allowing him to register one of them.
The expert set up a “sink hole” with the registered domain and noticed that close to 400 infected Macs connected to the server, most of them from United States. Although Wardle did nothing more than
Wardle explained that the was able to send commands to the infected machine to spy on the victims, but he did not do it to respect their privacy.
Wardle explained that the method of infection is still unknown, he suspects the victims were tricked into clicking malicious links.
Wardle also explained that it is still unclear the real motivation of the attackers, the malware in fact, is not able to steal payment card data or to deliver other malicious payloads to monetize the effort of the attackers (i.e. ransomware).
Anyway the fact that the malware targets home users led the researchers to exclude the involvement of a nation-state attacker.
“I don’t know it if it’s just some bored person or someone with perverse goals,” Wardle said. “If some bored teenager is spying on me, that would still be very emotionally traumatic. If it’s turning on the webcam, that’s for perverse reasons.”
The researcher believes that Fruitfly was therefore abandoned by its creators, but the victims are still exposed to anyone who is able to impersonate a C&C server included in the list of hardcoded domains.
Wardle reported his findings to law enforcement and all hardcoded domains are no longer available to avoid abuses.
Wardle developed a set of tools for its investigation, such as BlockBlock for detecting persistence mechanisms and OverSight for detecting webcam alerts.
Don’t miss the Wardle speech at the Black Hat Security Conference in Las Vegas, it is titled Offensive Malware Analysis: Dissecting OSX/Fruitfly via a custom C&C Server.
