MacInTouch Amazon link...

malware and security


Ric Ford

Another one to beware:
PCMag said:
Scammer Uses Fake iPhone Jailbreak for Fraud Scheme
The jailbreaking community is currently working on a legit tool for older iPhones, dubbed Checkra1n. But in the meantime, a scammer is capitalizing on that name with a website that pretends to offer the tool but is really just a click-fraud scam.
Bleeping Computer said:
Scammers Use Fake Checkra1n iOS Jailbreak in Click Fraud Campaign
Scammers have already been spotted baiting Apple users using a recently developed iOS jailbreak dubbed checkra1n as the lure in a campaign designed to help the crooks earn money via click-fraud and boost App Store rankings for several apps.

checkra1n makes use of the Checkm8 jailbreak-enabling iOS bootrom exploit released on Twitter last month by security researcher axi0mX.

As Cisco Talos researchers found, a scam group has noticed the attention this new jailbreak tool has amassed lately and reacted by registering and hosting checkrain[.]com, a "fake website that claims to give iPhone users the ability to jailbreak their phones."

"However, this site just prompts users to download a malicious profile which allows the attacker to conduct click-fraud."

Ric Ford

Not good news...
BleepingComputer said:
PureLocker Ransomware Can Lock Files on Windows, Linux, and macOS
Cybercriminals have developed ransomware that can be ported to all major operating systems and is currently used in targeted attacks against production servers.

The new name is PureLocker. Malware researchers analyzed samples for Windows but a Linux variant is also being used in attacks.

The malware is carefully designed to evade detection, hiding malicious or dubious behavior in sandbox environments, posing as the Crypto++ cryptographic library, and using functions normally seen in libraries for music playback. ... For the past three weeks, PureLocker evaded the detection of antivirus engines on VirusTotal almost entirely.

The name of the ransomware derives from the programming language it's written in, PureBasic, an unusual choice that provides some benefits, the researchers say in a report.

Ric Ford

Duo Security said:
Lazarus Group Deploying New macOS Backdoor
A newly discovered backdoor written specifically for macOS shares a number of similarities and functions with an older piece of malware attributed to the Lazarus APT group that has been associated with the North Korean government.
Patrick Wardle (Objective-See) said:
Pass the AppleJeus
... In Kaspersky’s original writeup, they detailed an interesting attack whereas the Lazarus APT group targeted various cryptocurrency exchanges “with a fake installer and macOS malware”. One of the more interesting aspects of this operation, is that the APT group actually fabricated an entire fake company (“Celas Trade Pro”) and website in order to increase the realism of the attack.

I have anti-ransomware protection installed on my computer (I'm pretty sure I found out about it here, on MacInTouch) called RansomWhere. I don't remember exactly when I installed it, but it's probably close to a year ago. It hasn't caused any problems on my 2017 iMac running High Sierra and Mojave.

Warnings occur infrequently, given my configuration and usage patterns, except with the Chromium browser. After a Chromium update, the Chrome Helper application associated with Chromium wants to encrypt files. Other than that, I forget RansomWhere is running most of the time.

After a Chromium update, the Chrome Helper application associated with Chromium wants to encrypt files.
Actually, Chrome is decrypting files associated with either its update or, more often, the update of extensions you have installed.

RansomWhere is unable to tell the difference between an encrypt and a decrypt action – reported to the developer years ago now.

Ric Ford

Here's another story about it:
George Cox said:
Alert: Mysterious new malware lurking on your Macs
... A new type of malware is spreading to Macs across the world — and most people do not even know it is a virus. It masquerades as a common download, making it easy for the program to slip through Apple's security measures. If you have noticed your Mac acting funky in recent days, here is why you might want to run a scan.

According to new reports from security researchers, a new form of malware is making an appearance on Macs found in the U.S., Italy and Japan. The malware, dubbed "Tarmac," is actually a companion malware to an older program called Shlayer.

Together, the two viruses work to fill the infected computer with spam advertisements that generate loads of cash for the cybercriminals behind the infection.

Tarmac is a new form of "malvertisements," or malicious ads. When the ad loads on a webpage, it automatically forces the browser to download a piece of software disguised as an update to Adobe Flash Player. Usually, the malvertisement will claim this program must be installed for users to view the webpage or video they are trying to watch.

This is often enough to trick most people into loading the program, which then connects to a central server and relays private information back to the criminals.

Strangely, the phony Flash Player file contains a legitimate Apple developer certification.

Here's another story about it:
Not sure what took these writers so long to pick up on it. The original research on it was done almost two months ago
Taha Karim said:
I suspect all anti-malware software has been detecting it for some time, judging from the number of them that detect the original fake AdobeFlashPlayerInstaller. Gatekeeper will prevent the installer from running, but those originally infected could well be subject to further infection by Tarmac since it is able to bypass Gatekeeper.

There isn't enough information in anything I've come across to tell me what the Indicators of Compromise (IoC) are for the Tarmac component, but I'll keep digging to see if I can identify anti-malware software capable of eliminating in case the Command & Control server ever goes live.

Ric Ford

Nasty stuff, quickly contained:
BleepingComputer said:
Coin Stealer Found in Monero Linux Binaries From Official Site
... The Monero team published an update warning users that "the binaries of the CLI wallet were compromised for a short time," Monday 18th 2:30 AM UTC and 4:30 PM UTC:
Yesterday a GitHub issue about mismatching hashes coming from this website was opened. A quick investigation found that the binaries of the CLI wallet had been compromised and a malicious version was being served. The problem was immediately fixed, which means the compromised files were online for a very short amount of time. The binaries are now served from another, safe, source. See the reddit post by core team member binaryfate.
It's strongly recommended to anyone who downloaded the CLI wallet from this website between Monday 18th 2:30 AM UTC and 4:30 PM UTC, to check the hashes of their binaries. If they don't match the official ones, delete the files and download them again. Do not run the compromised binaries for any reason.
We have two guides available to help users check the authenticity of their binaries: Verify binaries on Windows (beginner) and Verify binaries on Linux, Mac, or Windows command line (advanced). Signed hashes can be found here:
The situation is being investigated and updates will be provided soon.

I suspect all anti-malware software has been detecting it for some time, judging from the number of them that detect the original fake AdobeFlashPlayerInstaller. Gatekeeper will prevent the installer from running, but those originally infected could well be subject to further infection by Tarmac since it is able to bypass Gatekeeper.
I've satisfied myself (with help from some friends) that Tarmac detection has been provided by a significant number of anti-malware scanners since even before the referenced study was published in September and have identified one of the latest XProtect signatures as targeting Tarmac adware.

That said, there appear to be features built into Tarmac that could be used to activate more significant malicious attacks, should one of the Command & Control servers come back on line and direct it. So it is important to make certain all traces of it have been removed.

Ric Ford

It's not just Windows at risk for malvertising, though it's the worst (while Linux is the safest).
DEVCON said:
A Window into Malicious Advertising...
A bad ad campaign is merely a series of online ads linked to a common threat set, designed to have a malicious effect on the end-user. These campaigns are designed to redirect the user to malicious sites or to trick the user into downloading a piece of malware. Now we are ready to look at the data. Let's dive in!

The below chart shows all of the new, uniquely defined bad ad campaigns DEVCON observed from July 11 - November 22, 2019.
#malvertising #linux

Ric Ford

FYI, here's a report on Mac malware:
Bitdefender said:
Mid-Year Threat Landscape Report 2019 [PDF]
... In the first half of 2019, some of the most common threats directed at macOS revolve around coin miners, PUA and exploits, according to Bitdefender telemetry. While most threats that involve coin miners leverage compromised legitimate websites that “borrow” computing power from unsuspecting visitors, some threats even target users that have various cryptocurrency wallets.

For instance, instead of stealing computing power, cybercriminals often resort to stealing user cookies that frequently contain login credentials for various cryptocurrency exchanges, such as Coinbase, Binance, Poloniex, and many others. This is far more lucrative, as users suspect nothing while cybercriminals literally cash out their victims’ wallets. Of course, these threats are also versatile enough to steal other cookies and password that can be used for authenticating to a wide range of services, broadening the implications and potential security risks.

Bitdefender telemetry also found many reports coming from vulnerabilities. This might indicate that exploit kits leveraging unpatched vulnerabilities in commonly used browser plugins or macOS applications are constantly probed by malicious websites in an attempt to place various threats.

Like Windows users, Mac users don’t typically install updates as soon as they arrive. Most targeted macOS attacks leveraging exploits were conducted in the first three months of the year. In the April – May time period, exploit-based attacks dropped considerably, as shown in the chart below, only to rise again in June.

One explanation would be that Apple patched hundreds of vulnerabilities in the last two macOS security updates alone (released in the March – June time period). As customers progressively ceded to the update nag, exploit kits leveraging those flaws likely became useless.

Unlike the previous Windows telemetry, ransomware, fileless attacks and banking Trojans are not as prevalent on macOS. While there have been reported incidents in the wild where macOS Trojans have been used to steal banking credentials or even exfltrate sensitive data, such as user names and passwords by acting as locally installed keyloggers, the number of reports of macOS-installed malware is relatively low.

However, cybercrooks targeting Macs prefer to focus on web-based threats, such as fraud, phishing, and coin-mining software, or even potentially unwanted apps (PUAs).

#macmalware #applesecurity #securityupdates

Ric Ford

This looks nasty and like it could become much worse:
BleepingComputer said:
New macOS Threat Served from Cryptocurrency Trading Platform
Security researchers have encountered a new macOS malware sample believed to be the work of the North Korean group of hackers known as Lazarus.

The threat has a very low detection rate and comes with capabilities that allow it to retrieve a payload from a remote location and run it in memory, making the forensic analysis more difficult.
macOS fileless malware
While executing a file in memory is a common feature in malware for Windows, the trick is rare on macOS and is just starting to gain in popularity.

One of the few malware families capable of this is Gmera, a trojan that researchers from Trend Micro discovered in September also posing as an online trading app.

Ouch! The following article is perhaps a corollary to a prior comment I made about the access we give anti-virus programs to our data files. With the expanded feature sets these products now include with their ability to scan of our internet traffic, we need to be observant as to what they are doing there as well.
Engadget said:
Mozilla pulls four Firefox add-ons over excessive data collection
Browser security extensions aren't automatically safer -- they might even make things worse. Mozilla has pulled Avast's Online Security and SafePrice extensions for Firefox, plus their AVG-branded equivalents, after AdBlock Plus creator Wladimir Palant found they were collecting much more data than necessary. This included a detailed web history that went well beyond site addresses and search history, including when and how long you visit a site, what you click, the number of open tabs and even when you switch to another tab. Mozilla's policies explicitly forbid this kind of fine-grained collection.
If you found the extensions useful, don't worry -- they should come back. Avast told ZDNet that it was working with Mozilla to clear up issues. It had "already implemented" some of Mozilla's more recent privacy requirements, and planned versions that were "fully compliant and transparent." You could expect them back in Mozilla's extension store sometime in the "near future."

This looks nasty and like it could become much worse:
BleepingComputer said:
New macOS Threat Served from Cryptocurrency Trading Platform
macOS fileless malware
While executing a file in memory is a common feature in malware for Windows, the trick is rare on macOS and is just starting to gain in popularity.
Although this vulnerability has been known for about three years and at least one Proof of Concept exploit has been around since then:
Cylance said:
This may be the first actual threat that takes advantage of it that has been found.

Ric Ford

Here's more about the sophisticated "fileless" Mac malware recently discovered and dissected:
Dan Goodin said:
Newly discovered Mac malware uses “fileless” technique to remain stealthy
Hackers believed to be working for the North Korean government have upped their game with a recently discovered Mac trojan that uses in-memory execution to remain stealthy.

In-memory execution, also known as fileless infection, never writes anything to a computer hard drive. Instead, it loads malicious code directly into memory and executes it from there. The technique is an effective way to evade antivirus protection because there’s no file to be analyzed or flagged as suspicious.

Ric Ford

I think I may have mentioned "malvertising" previously. Here's a bit more about the problem, and its effect on Apple users...
Forbes said:
New iPhone Security Alert: ‘iPhone Only’ Krampus-3PC Malware Campaign Confirmed
There is no doubt that when it comes to security, the iPhone is a pretty good choice of smartphone. That's probably why so many infosecurity professionals, especially ethical hackers and security researchers, use one themselves. However, just because the iPhone runs a tight ship from the security perspective, that doesn't mean that users are immune from attacks. Recent bugs that could allow an attacker to lock you out of your iPhone, vulnerabilities that could effectively brick the iPhone with a malicious iMessage and even security exploits present on a brand new iPhone 11 all prove that. Sure, there's no doubting that the iPhone is less prone to the kind of shocking Android malware attacks we are so used to reading about. This doesn't mean that iPhone users can afford to get complacent, though. It has been thought for the longest time that threat actors were producing malware variants specifically coded for iOS. Now one totally iPhone specific malware campaign has been spotted being actively exploited in the wild.

... The Media Trust DSO report revealed that malvertising, also known as a badvert attack, was employed to distribute the Krampus-3PC malware. More than 100 popular publishing websites, including many online newspapers, are said to have inadvertently delivered up the malicious adverts from a legitimate advertising technology vendor.

iPhone users browsing these sites and viewing these badverts would be attacked without any user interaction being required.
#applesecurity #malvertising #badvert #iPhone #iOS #malware #Krampus-3PC

I guess I can see reasons for not disclosing the names of the sites that served up malvertising, but I am not sure they are sufficiently good reasons.
Ironic that clicking on the headline to learn more about this malware takes you to the Forbes site, whereupon I get this message:
Forbes said:
Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.

SentinalOne said:
MacOS Malware Outbreaks 2019 | The Second 6 Months
Earlier this year, we did a roundup of the first 6 months of MacOS malware in 2019, noting that there had been quite an uptick in outbreaks, from a return of OSX.Dok and Lazarus to new cryptominers, a fake WhatsApp trojan and the rapid development of a macOS bug which allowed remotely-hosted attacker code to execute on a local machine without warning from Gatekeeper. So what have attackers been up to since then, and what new tricks and tips do defenders need to be aware of? Let’s take a look at macOS malware from July to December, 2019.

Ric Ford

Nasty Mac malware from North Korea is evolving:
The Register said:
In a desperate bid to stay relevant in 2020's geopolitical upheaval, N. Korea upgrades its Apple Jeus macOS malware
Malware hunters are sounding the alarm over a new, more effective version of the North Korean "Apple Jeus" macOS software nasty.

The team at Kaspersky Lab's Global Research and Analysis Team has dissected what they say is a 'sequel' to the 2018 outbreak that targeted users on cryptocurrency sites for account theft.

Believed to be operating out of North Korea on behalf of the nation's authoritarian government, the Lazarus group looks to bring cash into the sanction-hit government's coffers by way of hacks on financial institutions, phishing and currency mining and theft operations.

... "We identified significant changes to the group’s attack methodology," the Kaspersky team explained. "To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk."

Ironic that clicking on the headline to learn more about this malware takes you to the Forbes site, whereupon I get this message:
Forbes said:
Please help us continue to provide you with free, quality journalism by turning off your ad blocker on our site.
For many sites (including Forbes) you can work around this by repeatedly typing the Esc key as the page loads. On Firefox (at least), this will stop scripts from running and will usually prevent the popup from appearing. (You may need to reload the page a few times in order to get the timing right.)

Script blockers (like NoScript) are even better. With scripting disabled, these ad-blocker-checkers generally can't run at all. The downside is that quite a lot of web sites break (sometime catastrophically) without any scripting, forcing you to whitelist them (or their components). After a while, I found that I needed so many whitelisted sites that it was no longer useful.

Ric Ford

Here's a heads-up about some nasty phishing technology:
Brian Krebs said:
Tricky Phish Angles for Persistence, Not Passwords
Late last year saw the re-emergence of a nasty phishing tactic that allows the attacker to gain full access to a user’s data stored in the cloud without actually stealing the account password. The phishing lure starts with a link that leads to the real login page for a cloud email and/or file storage service. Anyone who takes the bait will inadvertently forward a digital token to the attackers that gives them indefinite access to the victim’s email, files and contacts — even after the victim has changed their password.

Before delving into the details, it’s important to note two things. First, while the most recent versions of this stealthy phish targeted corporate users of Microsoft’s Office 365 service, the same approach could be leveraged to ensnare users of many other cloud providers. Second, this attack is not exactly new: In 2017, for instance, phishers used a similar technique to plunder accounts at Google’s Gmail service.

For many sites (including Forbes) you can work around this by repeatedly typing the Esc key as the page loads. On Firefox (at least), this will stop scripts from running and will usually prevent the popup from appearing. (You may need to reload the page a few times in order to get the timing right.)
As far as I can tell, Esc in Firefox means stop loading the page; it isn't script specific. The timing would need to be perfect to get it to load the page HTML, images, and style sheets but stop before loading scripts.

As far as I can tell, Esc in Firefox means stop loading the page; it isn't script specific. The timing would need to be perfect to get it to load the page HTML, images, and style sheets but stop before loading scripts.
It doesn't need to be that perfect. After 2-3 attempts, I can almost always hit the point where the content is loaded and readable, even if the page isn't 100% loaded.

Ric Ford

Here's a report about some Mac malware that's apparently quite widespread:
BleepingComputer said:
10% of All Macs Shlayered, Malware Cocktail Served
Many people think that malware only targets Windows and that Macs are safe, but a new report shows how a single Apple malware called Shlayer has attacked over 10% of all Apple computers monitored by an antivirus company.

Instead of distributing the Shlayer Trojan via phishing attacks or through other malware, the threat actors focus on trending events or popular shows and then build fake web sites surrounding them.

These web sites have become so common that Kaspersky reports that 1 in 10, or 10%, of Apple computers, have been attacked by the Shlayer Trojan.

"In 2019, one in ten of our Mac security solutions encountered this malware at least once, and it accounts for almost 30% of all detections for this OS," Kaspersky stated in their report.

Apple users visit these fake sites through search results, links in YouTube videos, and even links in Wikipedia articles. When visiting these sites, instead of being greeted with a video to watch, they are told they need to first update Flash Player.

Ric Ford

Nasty Mac malware from North Korea is evolving:
Here's more about North Korean Mac hacking:
Forbes said:
How A Single Apple Mac Hack Scored North Korean Spies $7 Million In Cryptocurrency
North Korean hackers are using legitimate-looking LinkedIn and Telegram profiles in order to target the cryptocurrency wallets of macOS users, cybersecurity experts at Chainalysis have warned.

A report shown to Forbes ahead of publication on Tuesday revealed previously unknown details on a cryptocurrency exchange attack carried out by the Lazarus Group, a unit that the U.S. government and many cybersecurity researchers have identified as being North Korea-sponsored. It’s the same group blamed for the massive Sony Pictures breach in 2014 and the WannaCry ransomware epidemic of 2017.

Earlier in the week, Intel posted an advisory (see below) regarding vulnerabilities in their processor lineup which have been referred to in the press as: Zombiload, RIDL, and CacheOut. I have also included an additional article from Tom's Hardware which delves a bit further and perhaps provides a clearer explanation of the matter at hand.

We should expect a new round of firmware and BIOS updates in both Mac and Windows/PC platforms to deal with these possible exploits.
Intel said:
Today we released INTEL-SA-00329, Intel® Processors Data Leakage Advisory concerning two vulnerabilities that were publicly disclosed by researchers. As part of our commitment to transparency, the advisory has been released before our planned mitigations can be made available and we expect to release mitigations through our normal Intel Platform Update (IPU) process in the near future.

These issues are closely related to INTEL-SA-00233, released in November 2019, which addressed an issue called Transactional Synchronization Extensions (TSX) Asynchronous Abort, or TAA. At the time, we confirmed the possibility that some amount of data could still potentially be inferred through a side-channel and would be addressed in future microcode updates. The issues have been referred to by researchers as Zombiload, RIDL, and CacheOut.
Tom's Hardware said:
Intel Responds to ZombieLoad and CacheOut Attacks
Researchers at the University of Michigan, VUSec and University of Adelaide revealed a new attack they dubbed CacheOut yesterday. The speculative execution attack "is capable of leaking data from Intel CPUs across many security boundaries," according to the researchers, and it offers better targeting than previous attacks of its type.

CacheOut was purportedly inspired by previous speculative execution attacks like Spectre and Meltdown. Its reach extends further than those attacks, however, because it can bypass the hardware-based safeguards implemented by Intel in response to Meltdown's discovery. It can also be used to extract specific data.

FYI. Malware attacks on Macs are on the rise, and in some instances, they are now exceeding those on Windows.
Malwarebytes Labs said:
2020 State of Malware Report

Mac Threat Landscape 2019

We saw a significant rise in the overall prevalence of Mac threats in 2019, with an increase of over 400 percent from 2018. However, since you could argue—validly—that part of this was due to a corresponding increase in the total number of Mac endpoints running Malwarebytes software, it’s more interesting to look at the change in the number of detections per endpoint. Mac detections per endpoint increased from 4.8 in 2018 to a whopping 11.0 in 2019, a figure that is nearly double the same statistic for Windows.

This means that the average number of threats detected on a Mac is not only on the rise, but has surpassed Windows—by a great deal. This is likely because, with increasing market share in 2019, Macs became more attractive targets to cybercriminals. In addition, macOS’ built-in security systems have not cracked down on adware and PUPs to the same degree that they have malware, leaving the door open for these borderline programs to infiltrate.

Further, for the first time ever, Mac threats appeared at the top of Malwarebytes’ overall threat detections. Two Mac threats—NewTab and PCVARK—showed up in second and third place in our list of the most prevalent detections across all platforms.

Ric Ford

It’s important to note here that all of the 15 attacks listed are nuisance adware and PUP’s. Many Windows attacks are still much more malicious (at least the ones we know about).
Let's also note that Mac malware can (and does) go far beyond the "nuisance" level....
ZDNet said:
Mac malware threats are now outpacing attacks on Windows PCs | ZDNet
... That's not to say that all malware campaigns targeting Mac users are low-level, as there are instances of trojan malware targeting Macs, but while they're not as prolific as the campaigns targeting Windows, they're still dangerous for the users.

And while attacks targeting Mac users are mostly low-level for now, as cyber criminals evolve their tactics, they could shift their gaze and attempt more destructive attacks against Apple systems.

"A rise in pre-installed malware, adware and multi-vector attacks signals that threat actors are becoming more creative and increasingly persistent with their campaigns," said Marcin Kleczynski, CEO of Malwarebytes. "It is imperative that, as an industry, we continue to raise the bar in defending against these sophisticated attacks."
And, as previously noted above:
Forbes said:
Meanwhile, Thomas Reed himself discussed Mac malware vectors with Recode:
Sara Morrison said:
Apple’s malware problem is getting worse
... “There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses,’” Reed said. “I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”

... “People need to understand that they’re not safe just because they’re using a Mac,” Reed said. “They need to exercise care about what they click on, what apps they download — and from where — and who they allow to have access to their computers.”

... Reed also recommended against installing Adobe Flash Player. “Fake Flash installers are one of the top methods for getting malware installed on a Mac,” he said.

Ric Ford

More about malvertising targeting Macs (including government and corporate systems)...
Bleeping Computer said:
Malvertising in Govt, Enterprise Targets Old Software, Macs
... In Confiant's report, they illustrate how both the United States Geological Survey and the United States Postal service are both heavily targeted by malvertising campaigns by Zirconium and Yosec.

... Both organizations also have a high percentage of malvertising attacks by the Yosec malvertising group. As this group targets Macs with scams and fake updates pushing the Shlayer Trojan, it shows that both organizations utilize a larger amount of macOS devices compared to other U.S. government agencies.

... In a corporate setting, it is not surprising that we begin to see a much larger percentage of malvertising from the Yosec group who target Mac computers.

For example, Apple, The Kroger Co., UPS, Boeing, and MetLife have over 50% of their malvertising attacks targeting Mac computers indicating that these companies utilize a large amount of Mac computers compared to other companies.

Numerous other companies such as Anthem Blue Cross Blue Shield, PepsiCo, and State Farm also are heavily targeted by Yosec with over 40% of their malvertising attacks directed at Mac computers.

... Most malvertising tends to involve nuisance redirects to fake giveaways, tech support scams, and adult sites, but it could also have more dire consequences.

With the continued usage of outdated browsers, exploit kits could use vulnerabilities to install malware that allows attackers to gain access to the network.

From there, they can exfiltrate files, steal corporate secrets, compromise more devices, and eventually deploy ransomware throughout the network.

Ric Ford

This one is bad and carries the highest severity rating – a zero-day vulnerability in Zyxel NAS devices that can be remotely exploited, and the exploit is being actively sold to criminals....
Brian Krebs said:
Zyxel Fixes 0day in Network Storage Devices — Krebs on Security
Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. ... The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide.

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.

Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts