MacInTouch Amazon link...

malware and security

Channels
Security

Ric Ford

MacInTouch
Warnings from Talos:
Cisco said:
CleanMyMac X incomplete update patch privilege escalation vulnerability
CVE-2019-5011
An exploitable privilege escalation vulnerability exists in the helper service CleanMyMac X, version 4.20, due to improper updating. The application failed to remove the vulnerable components upon upgrading to the latest version, leaving the user open to attack. A user with local access can use this vulnerability to modify the file system as root.
Most Prevalent Malware Files March 14 - 21, 2019
...
SHA 256: dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b
MD5: f22a024b4c98534e8ba7a1c03b0b6132
VirusTotal: https://www.virustotal.com/#/file/dcf0fd2f6cc7b7d6952e8a2a9e31d760c1f60dd6c64bffae0ab8b68384a21e8b/details
Typical Filename: unpacknw.zip
Claimed Product: N/A
Detection Name: Osx.Malware.Bpbw::agent.tht.talos
 


Kasperski said:
Cryptocurrency businesses still being targeted by Lazarus
It’s hardly news to anyone who follows cyberthreat intelligence that the Lazarus APT group targets financial entities, especially cryptocurrency exchanges. Financial gain remains one of the main goals for Lazarus, with its tactics, techniques, and procedures constantly evolving to avoid detection.
...
It’s no secret that Apple products are now very popular among successful internet startups and fintech companies, and this is why the malicious actor built and used macOS malware. While investigating earlier Lazarus incidents, we anticipated this actor would eventually expand its attacks to macOS.
...
We’d therefore like to ask Windows and macOS users to be more cautious and not fall victim to Lazarus. If you’re part of the booming cryptocurrency or technological startup industry, exercise extra caution when dealing with new third parties or installing software on your systems. It’s best to check new software with an antivirus or at least use popular free virus-scanning services such as VirusTotal. And never ‘Enable Content’ (macro scripting) in Microsoft Office documents received from new or untrusted sources. Avoid being infected by fake or backdoored software from Lazarus – if you need to try out new applications, it’s better do so offline or on an isolated network virtual machine which you can erase with a few clicks. We’ll continue posting on Lazarus’s latest tactics and tricks in our blog. In the meantime, stay safe!
 


Meanwhile, here are some network connections that QuickBooks makes to 13 different IP addresses:
  • cdn.mxpnl.com
  • d24n15hnbwhuhn.cloudfront.net
  • ofx-prod-brand.intuit.com
  • http-download.intuit.com
  • download.fidir.intuit.com
Identifying the owners and purposes of "mxpnl.com" and "d24n15hnbwhuhn.cloudfront.net" is left as an exercise for the reader.
mxpnl.com is an Oracle site. Any Cloudfront domain is just their regular Cloud service load-balancing,
 


Kaspersky Labs said:
An EXE infection for your Mac

The idea that macOS is invulnerable is a myth, as we’ve said many times before. Recently, cybercriminals found yet another way to tiptoe past its built-in defense mechanism. They collected data about the infected system and fed it into adware using files with the EXE extension, which usually runs only in Windows. An EXE file infecting Mac users? Strange, but the method does work.
...
The irony is that the malware was added not just anywhere, but to a pirated copy of a securityproduct — the Little Snitch firewall. Users who tried to save on paying for a license predictably ended up with a headache instead.
The infected version of the firewall was distributed using torrents. Victims downloaded to their computers a ZIP archive with a disk image in DMG format — so far, normal. But a close look at the contents of this DMG file reveals the presence of the MonoBundle folder with a certain installer.exe inside. This is not a typical macOS object; EXE files usually just don’t run on Mac machines.
....
In fact, Windows executables are so unsupported in macOS that Gatekeeper (a security feature of macOS that prevents suspicious programs from running) simply ignores EXE files. This is quite understandable: It makes little sense to overload the system by scanning obviously inactive files, especially with one of Apple’s selling points being operating speed.
...
After installation, the malware first collects information about the infected system. Cybercriminal interest is focused on the name of the model, device IDs, processor specifications, RAM, and many other things. The malware also harvests and sends information about installed applications to its C&C server.
Simultaneously, it downloads several more images to the infected computer with installers masked as Adobe Flash Media Player, or Little Snitch. They are in fact run-of-the-mill adware tools that pester you with banners.
 


In fact, Windows executables are so unsupported in macOS that Gatekeeper (a security feature of macOS that prevents suspicious programs from running) simply ignores EXE files . . .
Some years ago I tried Crossover, a proprietary version of the Open Source Wine project, to run a Windows version of Quicken 98 on my Mac. It worked well enough that Quicken 98 launched, then shut down, apparently because Intuit had turned off its authorization server.

While researching Crossover and Wine, I realized their components could, in theory, open on a Mac and run Windows malware in part because they use the Microsoft-supported Mono open-source alternative to .NET This report from Kaspersky seems to resolve hypothetical into real world fact.

As to Gatekeeper not checking for .exe files in a .dmg, I think it's safe to presume someone downloading known pirated software would disable Gatekeeper's safety verifications before installing?

Those of us who aren't acquiring pirated software should be pretty safe, but it is apparently rather easy to create the kind of packaged software that delivered this malware load in an .exe file.
Wineskin said:
What is Wineskin ?
Wineskin is a tool used to make ports of Windows software to Mac OS X. The ports are in the form of normal Mac application bundle wrappers. It works like a wrapper around the Windows software, and you can share just the wrappers if you choose.
Best of all, its free! Make ports/wrappers to share with others, make ports of your own open source, free, or commercial software, or just make a port for yourself! Why install and use Windows if you don’t need to?
 


As to Gatekeeper not checking for .exe files in a .dmg, I think it's safe to presume someone downloading known pirated software would disable Gatekeeper's safety verifications before installing?
If it's signed with a revoked DeveloperID then Gatekeeper should still prevent it from being opened even when disabled.

If it's known malware, then an updated XProtect would prevent it from opening.

But there's another factor here that I don't think Kaspersky considered. In order for any file to be checked by Gatekeeper (or XProtect), it must have a quarantine attribute, and that will only happen if the file was downloaded by a Quarantine-savvy app. Most pirate sites use torrent downloads, and most such apps do not quarantine their files. I'd have to guess that's the real problem here, not that Gatekeeper doesn't check .exe files.
 


But there's another factor here that I don't think Kaspersky considered. In order for any file to be checked by Gatekeeper (or XProtect), it must have a quarantine attribute
Al, I don't know if I'm confused or my post was confusing.

It is my understanding that Gatekeeper checks to see if an application is from the Mac App Store or an identified developer who paid a developer fee to Apple to be identified. Gatekeeper gives App Store apps an automatic pass. But even apps not from the App Store but from identified developers are met with a challenge that seems designed to urge users to stay inside Apple's walled garden:
Apple said:
Safely Open Apps on Your Mac
If your Mac is set to allow apps from the App Store and identified developers, the first time that you launch an app from an identified developer, your Mac asks if you’re sure you want to open it.
As to Xprotect, I understand it is not a comprehensive malware blockade, and what malware it does block isn't documented, at least by Apple.

What I had been trying to suggest is that someone who is willing to download and install a pirated software would ignore Gatekeeper even it it went full alarm. After all, what Gatekeeper does is check for authentication, not check the app itself. As the recently headlined hack of Asus firmware servers to deliver malware in signed firmware reminds, even software certified authentic may be counterfeit. Perhaps, somehow, the pirated copy of Little Snitch with its added malware load managed to sneak through Gatekeeper without setting off alarms. Unsettling prospect.
 


even apps not from the App Store but from identified developers are met with a challenge that seems designed to urge users to stay inside Apple's walled garden:
That depends on which setting the user has enabled and how it was downloaded. If "App Store" then the user is only challenged before being able to open an app from an identified developer, but if choosing "App Store and identified developers" they are only warned (if the app was quarantined) as downloaded from the internet. If the app wasn't quarantined, there is no warning.
Perhaps, somehow, the pirated copy of Little Snitch with its added malware load managed to sneak through Gatekeeper without setting off alarms.
I wish I had a sample to test for myself. As you have guessed, a large number of recent Mac malware has been found to be signed with a valid Apple DeveloperID, that Apple had to revoke. Sometimes this happens very quickly, but I've seen more than 24-hours pass after having personally reported an issue to product security.

As I said, I'd like to see a sample so that I could see if Gatekeeper actually skips checks of .exe files that have been quarantined or just was never quarantined by the downloading app. We've certainly seen many examples of the latter when it comes to BitTorrent malware.
 


DFG

MacRumors reports that, starting with macOS 10.14.5, notarization will be required for all apps and kernel extensions to run with default Gatekeeper settings.

Apple gives very little information about the notarization process, other than stating that it is an automated tool.

As far as I understand, developer are still free to publish non-signed apps, which however can only be run if Gatekeeper is configured to "allow applications downloaded from Anywhere".

Apple removed the GUI to enable this in macOS Sierra, but thankfully it can be re-enabled with the following terminal command:
Code:
sudo spctl --master-disable
Given that the workaraound is still there, maybe this isn't the end of the world, but Apple is slowly closing all the loopholes and making macOS more and more like iOS.

(The day the last loophole will be closed is the day I will abandon macOS.)
 


MacRumors reports that, starting with macOS 10.14.5, notarization will be required for all apps and kernel extensions to run with default Gatekeeper settings.

Apple gives very little information about the notarization process, other than stating that it is an automated tool.
Notarization was covered extensively during WWDC-2018 last June, was implemented in High Sierra 10.13.6 and a good bit of information on it can be found in this developer note Notarizing Your App Before Distribution. I am running quite a few apps that have been notarized by their developers.
As far as I understand, developer are still free to publish non-signed apps, which however can only be run if Gatekeeper is configured to "allow applications downloaded from Anywhere".
No, you can still open such apps using a right-click/control-click on the app and choosing "Open."
 


As far as I understand, developer are still free to publish non-signed apps, which however can only be run if Gatekeeper is configured to "allow applications downloaded from Anywhere".
No, you can still open such apps using a right-click/control-click on the app and choosing "Open."
And once you do this and approve the app, macOS will remember your approval and not ask again.

Additionally, Gatekeeper's protection only affects software downloaded over a network. Software you compile yourself or install from local media (for those of you who still remember software distributed on CD/DVD) never trigger Gatekeeper.
 


Ric Ford

MacInTouch
Howard Oakley has more today about macOS 10.15 notarization changes:
Eclectic Light Co. said:
Macs move closer to compulsory notarization

... Most importantly, no one can notarize their own app, only Apple can. Developers upload their apps to Apple for notarization, and that involves checking the app meets more stringent criteria and undergoing automated testing for evidence of malicious behaviour. For the last couple of years, most malware for macOS has been correctly signed using valid developer certificates. Apple’s testing routines are intended to prevent malware from being notarized, thus give you better confidence that a new app isn’t going to be bad news.

In order for an app to be successfully notarized, it must also be hardened, which restricts its behaviours. Hardening applies a set of rules which are not unlike those applied to App Store apps. For example, if a hardened app wants to access your address book, it has to declare that when it’s built, provide an explanation which you will be given, and then pass through standard privacy checks when you first run it.

Hardening doesn’t ban potentially harmful behaviours like executing JIT-compiled code, but they are only allowed if the app declares them prior to notarization. Most importantly for many notarized apps, they aren’t run in a sandbox in the way that App Store apps are required to be, so the requirements of hardening should seldom if ever get in the way of the app or its user.

Notarization is specific to that release of that particular app. If there is a problem with that version, Apple can revoke notarization for that alone. Using developer certificates, Apple can only revoke the certificate, which blocks all subsequent first runs on any app of any version signed using the same developer certificate.

When Apple makes notarization of apps mandatory, any app which is to pass through first run checks and has been downloaded from the Internet will have to be notarized (or be from the App Store), or Gatekeeper simply won’t allow it to run. This brings major change to the way in which we supply, obtain, and install apps.
 


Ric Ford

MacInTouch
FYI:
ESET said:
OceanLotus: macOS malware update
Early in March 2019, a new macOS malware sample from the OceanLotus group was uploaded to VirusTotal, a popular online multi-scanner service. This backdoor executable bears the same features as the previous macOS variant we looked at, but its structure has changed and its detection was made harder. Unfortunately, we couldn’t find the dropper associated with this sample so we do not know the initial compromise vector.

We recently published a detailed update about OceanLotus and how its operators employ a wide range of techniques to gain code execution, achieve persistence, and leave as little trace as possible on a Windows system. OceanLotus is also known to have a malicious macOS component. This article details what has changed from the previous macOS version analyzed by Trend Micro ...
Trend Micro said:
New MacOS Backdoor Linked to OceanLotus Found
We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty). OceanLotus was responsible for launching targeted attacks against human rights organizations, media organizations, research institutes, and maritime construction firms. The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.

The MacOS backdoor was found in a malicious Word document presumably distributed via email.
 




I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
 


Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
While I doubt I will have the ultimate solution, as a matter of troubleshooting, I ask this: have you tried (temporarily, of course) changing the affected browsers to some other setting that is neither Google nor Bing (important!), like DuckDuckGo? When that is done, do they then respect that setting, or do the redirects persist?
 


I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
Delete or move ~/Library/Preferences/com.apple.safari.plist (the file may likely be in ~/Library/Containers... but I don’t have the full path handy). I just went through some truly bizarre Safari behavior. Was really embarrassed I took so long to remember that.
 


I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
Thanks to Will M and Will Blume for your suggestions.

I did a Google search and got to an Apple message board which had the same question. One of the replies suggested downloading "Malwarebytes" and running it under a 14-day free trial. I ran it, got a list of about 29 suspicious files, and had Malwarebytes delete them. Empty Trash. Restart Mac, and the problem is gone.
 


I recently bought a new Mac with Mojave as the OS. One of the “features” that may have come with it is that my Safari topic searches, e.g., “baking powder”, are being redirected from Google to Bing. I’ve checked my Safari preferences and Google is the specified search engine. I tried Firefox (redirected to Bing), Chrome (Google), and Opera (Google). There are three other Macs in my household, all running High Sierra. They don’t have this problem. Thus, the redirection appears limited to Safari and Firefox on my new Mac. How do I get rid of this redirection?
You may be a victim of ISP deep packet inspection and/or NXDOMAIN hijacking. If you have access to a VPN, try it and see if that changes the result. If it does, then your ISP is messing with you.

If that's the case, Chrome may be unaffected due to the way it does non-standard HTTP. Opera has a built-in VPN.
 



What, specifically, is non-standard with Chrome's HTTP method? And who is the arbiter of this standard?
What I was thinking of is SPDY and QUIC. SPDY became HTTP/2 and QUIC became HTTP/3, so now it is a real standard.

This is why network monitors, such as Little Snitch, show Chrome making a lot of UDP connections.
 


Discovery of what sounds like potentially nasty remote control [Linux] malware, HiddenWasp, was just announced yesterday. It's unclear what threat this might be to macOS's Unix underpinnings.
Dan Goodin said:
Advanced Linux backdoor found in the wild escaped AV detection
Researchers say they’ve discovered an advanced piece of Linux malware that has escaped detection by antivirus products and appears to be actively used in targeted attacks.

HiddenWasp, as the malware has been dubbed, is a fully developed suite of malware that includes a trojan, rootkit, and initial deployment script, researchers at security firm Intezer reported on Wednesday. At the time Intezer’s post went live, the VirusTotal malware service indicated Hidden Wasp wasn’t detected by any of the 59 antivirus engines it tracks, although some have now begun to flag it. Time stamps in one of the 10 files Intezer analyzed indicated it was created last month. The command and control server that infected computers report to remained operational at the time this article was being prepared.
 


Getting on for a week of misery with my (bought as refurb) trashcan Mac Pro. We had an impressive thunderstorm last Wednesday with a couple of very close lightning strikes. The whole house is surge-protected, and the computers (and hifi, which is basically a bunch of computers these days, albeit it in prettier boxes) are further protected by UPSes.

However, next day, email was almost non-working on the Mac Pro, and internet was flaky. But all worked well on the MacBook 13". And on a resurrected-for-the-purpose-of-checking G4 PowerBook Ti (!).

After doing all the reasonable things (try WiFi instead, swap ethernet ports, faff with the ethernet switches, reset cable modem, create new account... over several days), still unresolved.

Quick chat with Apple said oopsy - take it in to the Apple Store for repair. Not a good idea (I'd become mostly convinced the I/O board needed replacing, which would be expensive and not something I'd want to do myself), so I determined to buy a new Mac Mini (2018), and settled on the bottom-end Core i5 model. Bought it, dragged it home, set it up. Phew, all works!

Attached the external disks from the Mac Pro (my home folder is on an external RAID), and the problems started anew.

Long story short, there was a SOCKS proxy set in Networks Systems Preferences (Advanced). And that was set by turning on Content Caching in the Sharing Systems Preference.

Turned off Content Caching and removed the SOCKS proxy, and all is well now.

Content caching is a Very Good Idea (especially for those with limited internet feeds and speeds), so I'd turned it on, despite our internet connection being north of 300 Mbits, to get the experience that would let me rely on it at our place in Normandy this summer (LTE wirelss internet only, and only 50GB per month).

But I shall not be using it until it's fixed. Grrr.

(I'll take the Mac Pro for use there - it'll take over from a pair of 2011 Mac Mini Servers, one being a spare just in case...)...
 


Getting on for a week of misery with my (bought as refurb) trashcan Mac Pro. We had an impressive thunderstorm last Wednesday with a couple of very close lightning strikes. The whole house is surge-protected, and the computers (and hifi, which is basically a bunch of computers these days, albeit it in prettier boxes) are further protected by UPSes.

However, next day, email was almost non-working on the Mac Pro, and internet was flaky. But all worked well on the MacBook 13". And on a resurrected-for-the-purpose-of-checking G4 PowerBook Ti (!).

After doing all the reasonable things (try WiFi instead, swap ethernet ports, faff with the ethernet switches, reset cable modem, create new account... over several days), still unresolved.

Quick chat with Apple said oopsy - take it in to the Apple Store for repair. Not a good idea (I'd become mostly convinced the I/O board needed replacing, which would be expensive and not something I'd want to do myself), so I determined to buy a new Mac Mini (2018), and settled on the bottom-end Core i5 model. Bought it, dragged it home, set it up. Phew, all works!

Attached the external disks from the Mac Pro (my home folder is on an external RAID), and the problems started anew.

Long story short, there was a SOCKS proxy set in Networks Systems Preferences (Advanced). And that was set by turning on Content Caching in the Sharing Systems Preference.

Turned off Content Caching and removed the SOCKS proxy, and all is well now.

Content caching is a Very Good Idea (especially for those with limited internet feeds and speeds), so I'd turned it on, despite our internet connection being north of 300 Mbits, to get the experience that would let me rely on it at our place in Normandy this summer (LTE wirelss internet only, and only 50GB per month).

But I shall not be using it until it's fixed. Grrr.

(I'll take the Mac Pro for use there - it'll take over from a pair of 2011 Mac Mini Servers, one being a spare just in case...),

So, be warned; Content Caching can be harmful.
But wait - there's more.

(i) Further investigations showed that the SOCKS proxy settings were re-established every power-on. This suggests that it wasn't the Content Caching which did the dirty deed. And indeed, after a hunt through the web, someone suggested malware. So I downloaded Malwarebytes, and scanned. It found something which called itself "VirtualBoardScan" (which I'd noticed in Activity Monitor, but could find out nothing on the web about it). Malwarebytes extinguished said software, and after a reboot the SOCKS re-activation is definitely not recurring.​
(ii) So time to give Content Caching a second try.​
(iii) Apologies to all for leaping to conclusions and publishing.​
 


Ric Ford

MacInTouch
None of us should be stupid enough to download a "cracked installer" trojan, but this new Mac malware uses novel techniques worth noting.
Thomas Reed said:
New Mac cryptominer Malwarebytes detects as Bird Miner runs by emulating Linux
A new Mac cryptocurrency miner Malwarebytes detects as Bird Miner has been found in a cracked installer for the high-end music production software Ableton Live. The software is used as an instrument for live performances by DJs, as well as a tool for composing, recording, mixing, and mastering. And while cryptomining is not new on Mac, this one has a unique twist: It runs via Linux emulation.

... Qemu is an open-source emulator, somewhat like a command-line-only VirtualBox, that is capable of running Linux executables on non-Linux systems. These copies of Qemu are being used to run the contents of image files, named Poaceae in the above example, using Apple’s Hypervisor framework for better performance.

The final piece of the puzzle lies inside the Poaceae file. This file is a QEMU QCOW image file. This is a file format somewhat similar to Apple’s disk image (.dmg) format, but specific to Qemu, and not as easy to open. With some work, however, it is possible to peek inside the Poaceae file. In this case, the image contains a bootable Linux system. The specific variant of Linux that it uses is Tiny Core.
Bleeping Computer said:
Linux Cryptominer Uses Virtual Machines to Attack Windows, macOS
A new cryptocurrency mining malware dubbed LoudMiner uses virtualization software to deploy a Linux XMRig coinminer variant on Windows and macOS systems via a Tiny Core Linux virtual machine.

The malware comes bundled within cracked copies Windows and macOS VST software such as Propellerhead Reason, Ableton Live, Sylenth1, Nexus, Reaktor, and AutoTune.

LoudMiner is distributed via an attacker-controlled website which currently links to 137 VST-related apps, 42 of them for Windows and 95 for the macOS platform, all of them frequently updated and hosted on 29 servers, as discovered by ESET Research's detection engineer Michal Malik.
 


Ric Ford

MacInTouch
Here's a good overview of a huge security problem:
Cisco Talos said:
Malvertising: Online advertising's darker side
One of the trickiest challenges enterprises face is managing the balance between aggressively blocking malicious advertisements (aka malvertising) and allowing content to remain online, accessible for the average user. The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.

As this blog will cover in detail, malvertising is a problem not strictly associated with basic web browsing. It can also come with other software programs including adware or potentially unwanted applications (PUA). These latter examples require the most attention. In today's enterprise, an aggressive approach to advertising is required to be protected against malicious threats. That may include securing your DNS or adding additional layers of inspection through a firewall, intrusion prevention system, or a web security platform. Regardless of the approach, it needs to be thorough and take into account not just the security impacts, but the potential of cascading impact on your users.

Advertising is a key part of the internet as a whole and, whether you realize it or not, is one of the most foundational aspects of it. It is one of the reasons that a large chunk of the content available on the internet is free. It allows people to support their passion projects, their small businesses, and the food blogs of people around the world. However, it is a highly complex and convoluted system that is ripe for abuse. This is an issue that should not be ignored by the public, as these malicious ads can deliver malware out of nowhere and trick traditional internet users who may not be aware of the threats that exist on some pages.

This blog is going to walk through how online advertising works, what malvertising is and why it's dangerous including real life examples, and finally the options that exist for organizations and private citizens to try and protect themselves from these threats.
 


Here's a good overview of a huge security problem:
Cisco Talos said:
Malvertising: Online advertising's darker side
The days of installing a basic ad blocker on your web browser and expecting full protection are gone. Between the sites that require them to be disabled and the ability for advertisers to pay to evade them, ad blockers alone are not sufficient.
uBlock Origin does a much better job than basic ad blockers.
maketecheasier said:
The Ultimate Superuser’s Guide to uBlock Origin
uBlock Origin is the most powerful and versatile ad blocker available. Unfortunately, the design is also a little obscure. This guide will explain the ins and outs of uBlock Origin’s advanced features...
There's also network blocking, e.g., Pi-hole.

As an Android user, I have only the Firefox browser active on my phone and depend on uBlock Origin to offer some protection against malvertising, as rogue ad networks are a major source of Android malware.

Informative as the Cisco article is about the underlying problem, [doesn't it also highlight] Cisco's products and services?
Cisco said:
Malvertising: Online advertising's darker side

... There are many different ways to block ad networks at the domain or nameserver level, but it does require you to make use of some sort of DNS product like Cisco Umbrella to achieve that goal. Another advantage to a product like Umbrella is its ability to block the gate and TDS domains. This may allow the organization an extra layer of protection that will stop known bad domains from serving content to users, without blocking ads unilaterally. Below is a table illustrating how the controls need to balance between risk and user impact.

From a consumer perspective there are plenty of options, including open-source solutions that can help mitigate the issue at home, as well. Among them is the pi-hole project which leverages a raspberry pi to achieve ad protections. We at Cisco also offer some options for consumers to take advantage of the protections available in Umbrella.

Regardless, of how you approach it, digital advertising is one of the biggest battlegrounds on the threat landscape for drive-by attacks delivering malicious content around the globe. Both enterprises and consumers need to be prepared and make a decision on how aggressive they want to be on blocking it. However, it's a unique challenge since the risk is eliminating large chunks of free content on the internet as it becomes increasingly difficult to generate revenue from that content. These are just a couple of the major issues we will be forced to confront over the next several years and the quicker you realize you are going to need to address it, the better served you will be.
 


uBlock Origin does a much better job than basic ad blockers.
Any thoughts on AdGuard DNS?

I have a Roku device, and the only way I found to block ads for cable news channels and misc. freebie channels that also have ads was to install AdGuardDNS DNS settings on my router.

I changed the DNS settings on my Netgear router to the AdGuardDNS ones, which not only block ads on the Roku but also other devices, including phones and computers. I haven't tried turning off my adblockers in Firefox, but in theory, it should work fine without them now.
 



[I also recommend] Pi-hole. I have it deployed at a cabin, which has metered satelite-based internet access, and if we have a house full of folks, Pi-hole will block thousands of ads a day. That's a lot of bandwidth!

(For what it's worth, I also block off the Apple and Android store update sites and other automated update sites at the firewall.)
 




One option: sign up for a Google Voice account. You will get a phone number that accepts SMS messages that can be relayed to the Google Voice app, not to the mobile phone number associated with your carrier. Further, you can minimize privacy and data harvesting concerns by opening a Gmail account that you use only for Google Voice.
Another benefit is that using Google Voice for forced-SMS situations, such as on websites that do not support authenticator apps or physical tokens for 2-factor authentication, reduces the risk of somebody gaining control of your online accounts through SIM-swapping scams.
The reader comments to this article can help you decide if this is a good solution for you:
As someone who has considered using Google Voice in the past, are there not concerns here about the amount of information Google would be scraping from your transmissions and calls? I had been thinking about signing up for Google Voice and then setting all my online accounts to that phone number. After some time to contemplate, I abandoned the idea.
 


As someone who has considered using Google Voice in the past, are there not concerns here about the amount of information Google would be scraping from your transmissions and calls?
Yes. This is Google we're talking about, after all.

Consequently, I have isolated Google Voice as much as possible from all my other online activities:
* I opened a single-purpose Google account using a fresh email address from a provider not linked to any of my existing email providers. I never use this account for anything other than Google Voice.​
* The Google account has all of its privacy settings on the most restrictive options possible.​
* I only use Google Voice for receiving a small number of texts; I do not use it to make or receive voice calls nor to send texts.​

Of course, Google can see that I receive texts with 2FA codes from certain senders periodically. But that's pretty much all it knows. All other account communications occur away from Google. And if I decide to obscure things even more, I'll sign up for a VPN service.

Why did I go to all this trouble? Because I feel letting Google see a very small slice of what I do is worth the great reduction in SIM-swapping risk (finally, a benefit from online-only, totally unresponsive customer service!). To my mind, it is far too easy to socially engineer a call center rep or, worse, bribe an underpaid and unappreciated retail store worker to transfer my real mobile phone number to a SIM card controlled by a criminal.
 


Ric Ford

MacInTouch
Here's some widespread, Apple-signed software you probably don't want on your Mac:
Talos Security said:
MOST PREVALENT MALWARE FILES August 8 - 15, 2019

SHA 256: b22eaa5c51f0128d5e63a67ddf44285010c05717e421142a3e59bba82ba1325a
MD5: 125ef5dc3115bda09d2cef1c50869205
Typical Filename: helpermcp
Detection Name: PUA.Osx.Trojan.Amcleaner::sbmt.talos
VirusTotal said:
helpermcp

File Version Information
Date signed May 15, 2019 at 2:17:02 PM
Identifier com.pcv.hlprmcp
Authority Apple Root CA
Date Signed May 15, 2019 at 2:17:02 PM

Team Identifier Q58HTDVM2R

Files opened
/Users/user1/Desktop
/Users/user1/Desktop/file
/etc/master.passwd
/var/db/timezone/zoneinfo/posixrules


Files written
/private/var/root/Library/Logs/(null).log

Processes created
/Users/user1/Desktop/file

Processes tree
600 - /Users/user1/Desktop/file
 


Ric Ford

MacInTouch
Beware!
ZDNet said:
macOS users targeted with new Tarmac malware
Named Tarmac (OSX/Tarmac), this new malware was distributed to macOS users via online malvertising (malicious ads) campaigns.

These malicious ads ran rogue code inside a Mac user's browser to redirect the would-be victim to sites showing popups peddling software updates -- usually for Adobe's Flash Player.

Victims who fell for this trick and downloaded the Flash Player update would end up installing a malware duo on their systems -- first the OSX/Shlayer malware, and then OSX/Tarmac, launched by the first....

... Since Tarmac payloads come signed by legitimate Apple developer certificates, features like Gatekeeper and XProtect won't stop its installation or show any errors.

Users and companies looking to see if they've had Mac systems infected by this malware can find indicators of compromise (IoCs) in Karim's Tarmac report.
 


I don't know the provenance of this strange event, but I suspect some form of malware: my wife was browsing the Mayo Clinic website and got a large pop-up window informing her that her computer was infected with three viruses which could be fixed by clicking the large red "Scan" button. Of course, she didn't. But... the page seemed to be fairly well crafted, with these exceptions:
1. The warning claimed to be from AppleCare Protection Plan and featured a large red Apple logo. As far as I know, AppleCare covers hardware, not malware, and (probably) uses a monochrome logo.​
2. The warning stated that she only had 1 minute and 46 seconds to click the "Scan" button before the damage would be permanent. Panic-inducing tactics like that always raise red flags.​
3. The text warned of "...system system damage, loss of Apps, Photos or other files." Sketchy grammar.​
My wife tried to Quit Safari using the keyboard but was stopped by another pop-up claiming to be "From: your-mac-security-analysis.net.eczjbp.mrqhkumqr9qsihc.xyz": (including those quotation marks and colon) and offering options to Stay on Page or Leave Page. Rather than clicking either, she simply force-Quit Safari.

All in all, one of those nasty irritations that makes you run a couple of anti-malware programs "just to be sure.
 




Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts