MacInTouch Amazon link...

malware and security

Channels
Security


Ric Ford

MacInTouch
It’s important to note here that all of the 15 attacks listed are nuisance adware and PUP’s. Many Windows attacks are still much more malicious (at least the ones we know about).
Let's also note that Mac malware can (and does) go far beyond the "nuisance" level....
ZDNet said:
Mac malware threats are now outpacing attacks on Windows PCs
... That's not to say that all malware campaigns targeting Mac users are low-level, as there are instances of trojan malware targeting Macs, but while they're not as prolific as the campaigns targeting Windows, they're still dangerous for the users.

And while attacks targeting Mac users are mostly low-level for now, as cyber criminals evolve their tactics, they could shift their gaze and attempt more destructive attacks against Apple systems.

"A rise in pre-installed malware, adware and multi-vector attacks signals that threat actors are becoming more creative and increasingly persistent with their campaigns," said Marcin Kleczynski, CEO of Malwarebytes. "It is imperative that, as an industry, we continue to raise the bar in defending against these sophisticated attacks."
And, as previously noted above:
Forbes said:
Meanwhile, Thomas Reed himself discussed Mac malware vectors with Recode:
Sara Morrison said:
Apple’s malware problem is getting worse
... “There is a rising tide of Mac threats hitting a population that still believes that ‘Macs don’t get viruses,’” Reed said. “I still frequently encounter people who firmly believe this, and who believe that using any kind of security software is not necessary, or even harmful. This makes macOS a fertile ground for the influx of new threats, whereas it’s common knowledge that Windows PCs need security software.”

... “People need to understand that they’re not safe just because they’re using a Mac,” Reed said. “They need to exercise care about what they click on, what apps they download — and from where — and who they allow to have access to their computers.”

... Reed also recommended against installing Adobe Flash Player. “Fake Flash installers are one of the top methods for getting malware installed on a Mac,” he said.
 


Ric Ford

MacInTouch
More about malvertising targeting Macs (including government and corporate systems)...
Bleeping Computer said:
Malvertising in Govt, Enterprise Targets Old Software, Macs
... In Confiant's report, they illustrate how both the United States Geological Survey and the United States Postal service are both heavily targeted by malvertising campaigns by Zirconium and Yosec.

... Both organizations also have a high percentage of malvertising attacks by the Yosec malvertising group. As this group targets Macs with scams and fake updates pushing the Shlayer Trojan, it shows that both organizations utilize a larger amount of macOS devices compared to other U.S. government agencies.

... In a corporate setting, it is not surprising that we begin to see a much larger percentage of malvertising from the Yosec group who target Mac computers.

For example, Apple, The Kroger Co., UPS, Boeing, and MetLife have over 50% of their malvertising attacks targeting Mac computers indicating that these companies utilize a large amount of Mac computers compared to other companies.

Numerous other companies such as Anthem Blue Cross Blue Shield, PepsiCo, and State Farm also are heavily targeted by Yosec with over 40% of their malvertising attacks directed at Mac computers.

... Most malvertising tends to involve nuisance redirects to fake giveaways, tech support scams, and adult sites, but it could also have more dire consequences.

With the continued usage of outdated browsers, exploit kits could use vulnerabilities to install malware that allows attackers to gain access to the network.

From there, they can exfiltrate files, steal corporate secrets, compromise more devices, and eventually deploy ransomware throughout the network.
 


Ric Ford

MacInTouch
This one is bad and carries the highest severity rating – a zero-day vulnerability in Zyxel NAS devices that can be remotely exploited, and the exploit is being actively sold to criminals....
Brian Krebs said:
Zyxel Fixes 0day in Network Storage Devices — Krebs on Security
Networking hardware vendor Zyxel today released an update to fix a critical flaw in many of its network attached storage (NAS) devices that can be used to remotely commandeer them. ... The company has roughly 1,500 employees and boasts some 100 million devices deployed worldwide.

Earlier today, Zyxel sent a message saying it had published a security advisory and patch for the zero-day exploit in some of its affected products. The vulnerable devices include NAS542, NAS540, NAS520, NAS326, NSA325 v2, NSA325, NSA320S, NSA320, NSA310S, NSA310, NSA221, NSA220+, NSA220, and NSA210. The flaw is designated as CVE-2020-9054.

However, many of these devices are no longer supported by Zyxel and will not be patched. Zyxel’s advice for those users is simply “do not leave the product directly exposed to the internet.”

“If possible, connect it to a security router or firewall for additional protection,” the advisory reads.

Holden said given the simplicity of the exploit — which allows an attacker to seize remote control over an affected device by injecting just two characters to the username field of the login panel for Zyxel NAS devices — it’s likely other Zyxel products may have related vulnerabilities.
 


Let's also note that Mac malware can (and does) go far beyond the "nuisance" level....

Meanwhile, Thomas Reed himself discussed Mac malware vectors with Recode...
... Mac malware certainly has risen far beyond nuisance level. My comment was only meant to apply to the Malwarebytes report on last year’s experience.

And since you mentioned Thomas Reed, here’s a quote he made in the Slack MacAdmins #security forum concerning that report:
‘Thomas Reed’ said:
Yeah, I was looking into our numbers in preparation for that report, and was totally blown away by what I found. I had never compared our Mac and Windows data, and it was not at all what I expected!

Quite shocking... but also, in a way, somewhat reassuring, as despite the volume, only about 1% of it is actual malware. The other 99% is all adware and PUPs.

In contrast, on the Windows side, malware is almost 28%.
[See Potentially Unwanted Program (PUP). –Ric Ford]
 


Ric Ford

MacInTouch
Mac malware certainly has risen far beyond nuisance level....
Here's some more perspective of how bad Mac malware is becoming... (and who among us has a prayer of controlling code created by the governments of "nation states", such as North Korea, Russia, Iran, China, et al?):
Wired said:
North Korea Is Recycling Mac Malware. That's Not the Worst Part
For years, North Korea's Lazarus Group hackers have plundered and pillaged the global internet, scamming and infecting digital devices around the world for espionage, profit, and sabotage. One of their weapons of choice: a so-called loader that allows them to clandestinely run a diverse array of malware on targeted Macs with hardly a trace. But Lazarus didn't create the loader on its own. The group seems to have found it laying around online, and repurposed it to elevate their attacks.

The reality of malware reuse is well established. The NSA reportedly reuses malware, as do state-sponsored hackers from China, North Korea, Russia, and elsewhere. But at the RSA security conference in San Francisco on Tuesday, former National Security Agency analyst and Jamf researcher Patrick Wardle will show a particularly compelling example of how ubiquitous and extensive malware reuse really is, even on Macs—and how vital it is to take the threat seriously.
 


Ric Ford

MacInTouch
Here's another extremely serious vulnerability that offers complete takeover of a system running OpenSMTPD (and may affect Macs):
Bleeping Computer said:
New Critical RCE Bug in OpenBSD SMTP Server Threatens Linux Distros
Security researchers have discovered a new critical vulnerability in the OpenSMTPD email server. An attacker could exploit it remotely to run shell commands as root on the underlying operating system.

OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).

Tracked as CVE-2020-8794, the remote code execution bug is present in OpenSMTPD's default installation. Proof-of-concept (PoC) exploit code has been created and will be released tomorrow, February 26.
 


Here's some more perspective of how bad Mac malware is becoming, and who among us has a prayer of controlling code created by the governments of "nation states", such as North Korea, Russia, Iran, China, et al?
Keyword here is "targetted" -- almost always a very small population of users, usually running legacy systems and software who are unlikely to be frequenting this forum or running Malwarebytes (or any other modern anti-malware software) on their Macs.

But more to the point, I believe the malware that Patrick will speak on was first found on Dec. 3 last year, so is unlikely to be included at all (or in small numbers, at best) in the Malwarebytes report for last year. We should know more as 2020 quarterly/semi-annual/annual summaries are published.
 


Ric Ford

MacInTouch
Keyword here is "targetted" -- almost always a very small population of users, usually running legacy systems and software who are unlikely to be frequenting this forum or running Malwarebytes (or any other modern anti-malware software) on their Macs.
Not a "very small population" in the case of this "targeted" group (although iPhones were compromised rather than Macs):
Google said:
A very deep dive into iOS Exploit chains found in the wild
... Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.

I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.
(The attacks also infected non-targeted visitors to the malicious "watering hole" websites and infected Android and Windows systems, as well, though perhaps not Macs, which are probably scant in the targeted population.)
 


Not a "very small population" in the case of this "targeted" group (although iPhones were compromised rather than Macs):
Google said:
A very deep dive into iOS Exploit chains found in the wild
... Real users make risk decisions based on the public perception of the security of these devices. The reality remains that security protections will never eliminate the risk of attack if you're being targeted. To be targeted might mean simply being born in a certain geographic region or being part of a certain ethnic group. All that users can do is be conscious of the fact that mass exploitation still exists and behave accordingly; treating their mobile devices as both integral to their modern lives, yet also as devices which when compromised, can upload their every action into a database to potentially be used against them.

I hope to guide the general discussion around exploitation away from a focus on the the million dollar dissident and towards discussion of the marginal cost for monitoring the n+1'th potential future dissident. I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.
(The attacks also infected non-targeted visitors to the malicious "watering hole" websites and infected Android and Windows systems, as well, though perhaps not Macs, which are probably scant in the targeted population.)
Impossible to judge the size of the population, since they purposely avoided telling us what the watering hole websites were and what groups were expected to frequent them. The fact that iPhones were attacked isn’t really material, as the same vector has been, and almost certainly is today being, used against most all platforms. And certainly the watering hole method will always net more non-targeted visitors as compared with other types of directly targetted group attacks.

But depending upon the intended (malicious?) purpose, is there really a danger to those non-targetted visitors? Were their iPhones or their data actually compromised or did the user do something they normally wouldn’t do (like vote for a certain individual)? It’s never a good thing to have one’s digital device compromised in any manner, but I can’t judge the metrics (probability of compromise, severity, etc.) without more non-technical detail.
 


Bleeping Computer said:
... OpenSMTPD is present on many Unix-based systems, including FreeBSD, NetBSD, macOS, Linux (Alpine, Arch, Debian, Fedora, CentOS).
Hmm, that may be one notch too scary. OpenSMTPd's portable version will work on these system types, if you install it. It's not installed by default on most of them. For example, standard macOS includes and uses Postfix to fill this role.

I certainly agree with the larger point, though - OpenSMTPd is a great example of software that was developed by some quite security-conscious people and then further audited externally, and holes still creep in. Software is incredibly complex..
 


Ric Ford

MacInTouch
This one is bad and carries the highest severity rating – a zero-day vulnerability in Zyxel NAS devices that can be remotely exploited, and the exploit is being actively sold to criminals....
Here are the latest extreme vulnerabilities in Zyxel products – firewalls in this case, some of which won't even be patched...
Brian Krebs said:
Zyxel 0day Affects its Firewall Products, Too — Krebs on Security
This week’s story on the Zyxel patch was prompted by the discovery that exploit code for attacking the flaw was being sold in the cybercrime underground for $20,000. Alex Holden, the security expert who first spotted the code for sale, said at the time the vulnerability was so “stupid” and easy to exploit that he wouldn’t be surprised to find other Zyxel products were similarly affected. Now it appears Holden’s hunch was dead-on.

“We’ve now completed the investigation of all Zyxel products and found that firewall products running specific firmware versions are also vulnerable,” Zyxel wrote in an email to KrebsOnSecurity.

... CERT’s advisory on the flaw rate this vulnerability at a “10” — its most severe. My advice? If you can’t patch it, pitch it. The zero-day sales thread first flagged by Holden also hinted at the presence of post-authentication exploits in many Zyxel products, but the company did not address those claims in its security advisories.

... Holden said the exploit is now being used by a group of bad guys who are seeking to fold the exploit into Emotet, a powerful malware tool typically disseminated via spam that is frequently used to seed a target with malcode which holds the victim’s files for ransom.
 


Ric Ford

MacInTouch
Here are details about "Kr00k", a vulnerability in Broadcom WiFi hardware that allows interception of data sent wirelessly...
Dan Goodin/Ars Technica said:
Flaw in billions of Wi-Fi devices left communications open to eavesdropping
Billions of devices—many of them already patched—are affected by a Wi-Fi vulnerability that allows nearby attackers to decrypt sensitive data sent over the air, researchers said on Wednesday at the RSA security conference.

The vulnerability exists in Wi-Fi chips made by Cypress Semiconductor and Broadcom, the latter whose Wi-Fi business was acquired by Cypress in 2016. The affected devices include iPhones, iPads, Macs, Amazon Echos and Kindles, Android devices, Raspberry Pi 3’s, and Wi-Fi routers from Asus and Huawei. Eset, the security company that discovered the vulnerability, said the flaw primarily affects Cyperess’ and Broadcom’s FullMAC WLAN chips, which are used in billions of devices. Eset has named the vulnerability Kr00k, and it is tracked as CVE-2019-15126.

Manufacturers have made patches available for most or all of the affected devices, but it’s not clear how many devices have installed the patches. Of greatest concern are vulnerable wireless routers, which often go unpatched indefinitely.
BleepingComputer said:
Kr00k Bug in Broadcom, Cypress WiFi Chips Leaks Sensitive Info
A vulnerability in some popular WiFi chips present in client devices, routers, and access points, can be leveraged to partially decrypt user communication and expose data in wireless network packets.

... Given that Broadcom chips are used in most WiFi gadgets and those from Cypress are preferred IoT makers, it is safe to assume that at the time of the discovery Kr00k impacted at least one billion devices.

Prior to patching, ESET found that the following devices were vulnerable to Kr00k:
  • Amazon Echo 2nd gen
  • Amazon Kindle 8th gen
  • Apple iPad mini 2
  • Apple iPhone 6, 6S, 8, XR
  • Apple MacBook Air Retina 13-inch 2018
  • Google Nexus 5
  • Google Nexus 6
  • Google Nexus 6S
  • Raspberry Pi 3
  • Samsung Galaxy S4 GT-I9505
  • Samsung Galaxy S8
  • Xiaomi Redmi 3S
  • Asus RT-N12
  • Huawei B612S-25d
  • Huawei EchoLife HG8245H
  • Huawei E5577Cs-321
... Full details about Kr00k are available on a dedicated page as well as in a technical paper authored by Miloš Čermák, Štefan Svorenčík and Robert Lipovský, in collaboration with Ondrej Kubovič.
 


Here are details about "Kr00k", a vulnerability in Broadcom WiFi hardware that allows interception of data sent wirelessly...
Two comments about this:

1. Any data using an encrypted socket (e.g. an HTTPS connection) will still be secure, even if someone is exploiting this vulnerability. Being able to snoop your packets will only let an attacker view plaintext traffic.​
2. You should never be doing anything sensitive (including entering passwords) on non-encrypted connections, with or without this bug. Wi-Fi encryption only protects the link from your computer to the access point, whereas a secure socket will protect the entire path to the remote server.​

Of course, this is a serious bug, but it should be of minimal consequence for people who are careful to not use insecure connections for sensitive data.
 


Here are details about "Kr00k", a vulnerability in Broadcom WiFi hardware that allows interception of data sent wirelessly...
Note that the article states Apple addressed the issue with releases of macOS Catalina 10.15.1 and iOS/iPadOS 13.2 [but] apparently did nothing for Sierra/High Sierra, other iDevices or base stations.

It's not really clear to me exactly how much data can be decrypted due to the flaw.
 


Here's some more perspective of how bad Mac malware is becoming, and who among us has a prayer of controlling code created by the governments of "nation states", such as North Korea, Russia, Iran, China, et al?
As speculated, this was the same Lazarus malware that Patrick blogged about back in early December. He published the technical presentation given at the RSA Conference in his blog today:
Objective-See said:
 



Here are the latest extreme vulnerabilities in Zyxel products – firewalls in this case, some of which won't even be patched...
I'm curious about something. Does this Zyxel vulnerability extend to their line of internet DSL modem/routers? My former ISP was Century Link, and they use a customized Zyxel modem for their DSL service up to ~ 30 Mbps and maybe faster (used the VDSL protocol). There must be many tens or hundreds of thousands of those out there...

My unit was a C1100Z modem router, in service for 3 years.
 


[FYI]
Thomas Reed/Malwarebytes said:
Mac adware is more sophisticated and dangerous than traditional Mac malware

As the data revealed in our State of Malware reportshowed, Mac threats are on the rise, but they are not the same type of threats experienced by Windows users. Most notably, more traditional forms of malware, such as ransomware, spyware, and backdoors account for over 27 percent of all Windows threats. That figure is less than 1 percent for Macs.

Further, Mac malware is rather unsophisticated overall. The remaining 99+ percent of Mac threats are “just” adware and potentially unwanted programs (PUPs). This has led some in the Mac community to dismiss these findings as unimportant, even leading one Mac blogger to write:
“Macs don’t get viruses” is a statement that is still overwhelmingly true.
However, adware and PUPs can actually be far more invasive and dangerous on the Mac than “real” malware. They can intercept and decrypt all network traffic, create hidden users with static passwords, make insecure changes to system settings, and generally dig their roots deep into the system so that it is incredibly challenging to eradicate completely.
 


I'm curious about something. Does this Zyxel vulnerability extend to their line of internet DSL modem/routers? My former ISP was Century Link, and they use a customized Zyxel modem for their DSL service up to ~ 30 Mbps and maybe faster (used the VDSL protocol). There must be many tens or hundreds of thousands of those out there...

My unit was a C1100Z modem router, in service for 3 years.
According to the updated CERT and ZyXEL advisories, it appears that it is limited to various firewall, VPN, and NAS devices. It does not look like modems, routers, or switches are affected.
 


Ric Ford

MacInTouch
Here's some more perspective of how bad Mac malware is becoming... (and who among us has a prayer of controlling code created by the governments of "nation states", such as North Korea, Russia, Iran, China, et al?):
$2 billion is a lot of motivation, and North Korea has advanced hacking capabilities....
BleepingComputer said:
US Charges Two With Laundering $100M for North Korean Hackers

... "The August 2019 UN Security Council 1718 Committee Panel of Experts report estimates that North Korea had attempted to steal as much as $2 billion, of which $571 million is attributed to cryptocurrency theft. This revenue allows the North Korean regime to continue to invest in its illicit ballistic missile and nuclear programs."

While the DoJ and OPAC haven't named the two hacked crypto exchanges, the two press releases hint at potential connections to Lazarus Group campaigns detected and reported by Kaspersky in 2018 and 2020.
Kaspersky said:
Operation AppleJeus Sequel
The Lazarus group is currently one of the most active and prolific APT actors. In 2018, Kaspersky published a report on one of their campaigns, named Operation AppleJeus. Notably, this operation marked the first time Lazarus had targeted macOS users, with the group inventing a fake company in order to deliver their manipulated application and exploit the high level of trust among potential victims. As a result of our ongoing efforts, we identified significant changes to the group’s attack methodology.

To attack macOS users, the Lazarus group has developed homemade macOS malware, and added an authentication mechanism to deliver the next stage payload very carefully, as well as loading the next-stage payload without touching the disk. In addition, to attack Windows users, they have elaborated a multi-stage infection procedure, and significantly changed the final payload. We assess that the Lazarus group has been more careful in its attacks following the release of Operation AppleJeus and they have employed a number of methods to avoid being detected.
 


Ric Ford

MacInTouch
Here's some information that looks useful - an encyclopedia of malware detection-evasion tricks, including a page about macOS:
Check Point Research said:
Evasions: macOS
... Apple software licensing policy doesn’t allow emulating macOS on hardware other than the original Apple hardware. It is also doesn’t not allow more than 2 virtual machines to run on one host machine. Therefore, we suggest using solutions such as DeepFreeze instead of virtualization. In addition, signed kernel extensions should be used.
 


Ric Ford

MacInTouch
This is quite a disturbing (technical) article that refuses to name the company(s) using these extremely tricky Mac "installers" based on malware mechanisms:
Sophos said:
“Double agent”: a MacOS bundleware installer that acts like a spy
Security software frequently blocks “bundleware” installers – software distribution tools that bundle their advertised applications with (usually undesired) additional software – as potentially undesirable applications. But one widely-used software distribution tool for MacOS applications goes to great lengths to avoid being blocked as “bundleware” – using a number of anti-forensics techniques that are more common in malware code. The installer is from a legitimate company, which claims to reach over 1 billion users per month with its various downloaders and adware platforms.
 


This is quite a disturbing (technical) article that refuses to name the company(s) using these extremely tricky Mac "installers" based on malware mechanisms:
I did a quick read of the article and I don’t see anything to make me believe that this is the Zoom installer, but the much-maligned Zoom product just took another hit today (there has been something new each day for a while now) with the discovery of two zero-day vulnerabilities, one of which comes from the installer.
Patrick Wardle said:
The 'S' in Zoom, Stands for Security
uncovering (local) security flaws in Zoom's latest macOS client
For less technical coverage of this see
TechCrunch said:
<https://techcrunch.com/2020/03/31/zoom-at-your-own-risk/>

Now that a large portion of the world is working from home to ride out the coronavirus pandemic, Zoom’s popularity has rocketed, but also has led to an increased focus on the company’s security practices and privacy promises. Hot on the heels of two security researchers finding a Zoom bug that can be abused to steal Windows passwords, another security researcher found two new bugs that can be used to take over a Zoom user’s Mac, including tapping into the webcam and microphone.

Patrick Wardle, a former NSA hacker and now principal security researcher at Jamf, dropped the two previously undisclosed flaws on his blog Wednesday, which he shared with TechCrunch.
 


Ric Ford

MacInTouch
Some sobering reading about buying and selling "zero-day" cyberweapons:
ThreatPost said:
A Brisk Private Trade in Zero-Days Widens Their Use
There were more zero-days exploited in 2019 than any of the previous three years, according to telemetry from FireEye Mandiant. The firm said that’s likely due to more zero-days coming up for sale by cyber-weapons dealers like NSO Group; a growing commercial market has made such tools much more widely available.

While the identification and exploitation of zero-day vulnerabilities has historically been a calling card for only the most sophisticated cybercriminals, a wider range of threat actors are now gaining access to exploits for undocumented, unpatched bugs simply by buying them – no deep security expertise required.

“A wider range of tracked actors appear to have gained access to these capabilities,” FireEye researchers noted in a blog post, published on Monday. “[This includes] a significant increase over time in the number of zero-days leveraged by groups suspected to be customers of companies that supply offensive cyber-capabilities.”
 




Do malware criminals ever get caught... to a statistically significant degree?
Doubtful. From what I've read, most are tied to international crime syndicates - many operating out of Russia and other Eastern European countries where it is hard or impossible for Western law enforcement to get sufficient cooperation.

You might find Brian Krebs's book, Spam Nation an interesting read, regarding the connections between spam, malware and organized crime.
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts