MacInTouch Amazon link...

vulnerabilities and vectors

Channels
Security

Ric Ford

MacInTouch
Just got the following notice from ‘Have I Been Pwned’...
I got the same notice and followed up for a report on 27 compromised email addresses in my domain. Some observations:
  • The most concerning one is a personal address never used for anything but correspondence with friends and family and for one or two financial/medical institutions. This is reported as compromised in the "Apollo" breach. I wonder where/how it got harvested.
  • A spam-trap address is reported harvested by "Onliner Spambot" from my website, along with legitimate addresses also posted on the website.
  • Old, obsolete addresses were compromised by Verifications.io and B2B USA Businesses.
  • My decades-old original email address is compromised by Apollo, Exactis, Onliner Spambot, River City Media Spam List, and Verifications.io.
  • Postmaster is compromised by Apollo, B2B USA Businesses, Exactis, Onliner Spambot, and Verifications.io.
  • Several invalid addresses were listed under Apollo, Exactis, Verifications.io, and B2B USA Businesses.
 




Anyone know who or what verifications.io is?
Here's the original article:
Bob Diachenko/Security Discovery said:
800+ Million Emails Leaked Online by Email Verification Service

How this all works:
  1. Someone uploads a list of email addresses that they want to validate.
  2. Verifications.io has a list of mail servers and internal email accounts that they use to “validate” an email address.
  3. They do this by literally sending the people an email. If it does not bounce, the email is validated.
  4. If it bounces, they put it in a bounce list so they can easily validate later on.
 


According to their former website, verifications.io provides “Email Validation and Verification, Data Enhancement, and Free Phone Lookup” to enterprise subscribers in order to "Remove harmful data and bounces from your list before you send."
So does this mean the data breach is of no consequence? It would seem to me that they would have your e-mail address (which is probably available through hundreds of vectors) but no passwords or credentials associated with them.

If you are a list manager using verifications.io to sanitize your lists, of course, then you probably need to change the credentials you were using to access their service.
 


So does this mean the data breach is of no consequence? It would seem to me that they would have your e-mail address (which is probably available through hundreds of vectors) but no passwords or credentials associated with them.
That's not what what was reported. Records also contained Dates of birth, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses.

I would have to say that's consequential enough to get a good start at identity theft in a number of places.
 


That's not what what was reported. Records also contained Dates of birth, Employers, Genders, Geographic locations, IP addresses, Job titles, Names, Phone numbers, Physical addresses.
That's all available in public records. A thief may have an easier time with this database (assuming all this is available for your record), but there's nothing that isn't already available from dozens of existing search services.
 


While we might complain about Apple's security updates partially munging some machines, Asus got hacked, and infected updates using its "Asus Live Updates" have been winging their merry way around cyberspace; the miscreants hacked Asus's update servers.

Apparently this may have been a narrowly targeted attack because if your Asus machine's MAC address wasn't in a select group, nothing bad would happen. Yesterday, Asus finally acknowledged the issue and issued an update to its Live Update app. However, if your machine didn't have the Live Update app installed (which could happen if you did a clean Windows installation, like I did), their tech support people are sending out a link to the complete app that results in an Error 404... yes, a bad link.

Repeated emails to their tech support folks pointing out this issue result in... nothing, no responses. If these were Apple support personnel, they'd be fired. And what of the webmaster who is {not} minding the store? sigh

Well, at least the original email they sent had a valid link to email their CEO. Oh, I unloaded on him...
 


... the miscreants hacked Asus's update servers...
And that is one vendor we know of.

I hate blindly being forced to hand over firmware-level access to Adobe, Intuit, Apple or Microsoft. It's the same as handing over keys to our bank accounts. Crazy.

Several years ago, 60 Minutes interviewed Kim DotCom from New Zeland - he voiced his biggest security fear: scheduled updates from manufacturers.

We are all susceptible. And how would we ever know if OS-level hacks are present?
 


Several years ago, 60 Minutes interviewed Kim DotCom from New Zeland - he voiced his biggest security fear: scheduled updates from manufacturers. We are all susceptible. And how would we ever know if OS-level hacks are present?
And this is far from the first time.

Many years ago, a PC of mine got infected by Microsoft's own update server. I was running McAfee antivirus. I had just scanned the system and it was clean. Then I did a "windows update" and immediately afterward, it started alerting me about infections. I wiped the computer and reinstalled everything (fortunately, this was a computer without anything important on it), and the same thing happened - infection immediately after installing updates.

I reported it to Microsoft. Their response was "that's not possible because we have virus scanners, so you must have gotten infected some other way" - flat-out denial of the problem.
 


Ric Ford

MacInTouch
Many years ago, a PC of mine got infected by Microsoft's own update server. I was running McAfee antivirus. I had just scanned the system and it was clean. Then I did a "windows update" and immediately afterward, it started alerting me about infections. I wiped the computer and reinstalled everything (fortunately, this was a computer without anything important on it), and the same thing happened - infection immediately after installing updates.
That sounds like it could potentially have been a man-in-the-middle attack or DNS spoofing and possibly not an infection in Microsoft's own servers.

Here are some related articles:
Sophos said:
Flame malware used man-in-the-middle attack against Windows Update
Microsoft has released an emergency update for all versions of Windows to address a certificate flaw that was used to spread the Flame malware from machine to machine.

Of course you have to trust that your connection to Windows Update is not being attacked while you’re retrieving the update that prevents you from being attacked....

The idea of someone with malicious intent impersonating Windows Update has been discussed for years in the security community. It is sort of a nightmare scenario and I suppose it is good news that it was being used in such a limited way.
ZDNet said:
Windows patches can be intercepted and injected with malware
Researchers say Windows machines that fetch updates from an enterprise update server not configured to use encryption are vulnerable to an injection attack.
 


And this is far from the first time.
Many years ago, a PC of mine got infected by Microsoft's own update server. I was running McAfee antivirus. I had just scanned the system and it was clean. Then I did a "windows update" and immediately afterward, it started alerting me about infections. I wiped the computer and reinstalled everything (fortunately, this was a computer without anything important on it), and the same thing happened - infection immediately after installing updates.
I reported it to Microsoft. Their response was "that's not possible because we have virus scanners, so you must have gotten infected some other way" - flat-out denial of the problem.
Another possibility could be opportunistic infection during the update process?

Years ago Windows had a number of vulnerabilities that could be exploited remotely, over the network. An unpatched PC, without an adequate firewall or anti-virus, could be compromised in a matter of minutes, if not seconds. In fact, it was a real problem just getting a new Windows PC updated; it would be infected faster than it could download the necessary patches.

So what if, during the update process, Windows had shut down the anti-virus but still had the vulnerable network ports exposed?

I don't think that could happen today, but we're talking about many years ago when security was less sophisticated.
 


Ric Ford

MacInTouch
FYI:
Bleeping Computer said:
Evernote Fixes Remote Code Execution Vulnerability in macOS App

A local file path traversal vulnerability which allows attackers to run arbitrary code on their targets' Macs remotely was fixed by Evernote after receiving a report from security researcher Dhiraj Mishra.

The security issue tracked as CVE-2019-10038 was found by Mishra in Evernote 7.9 for macOS and it is now patched in the 7.10 Beta 1 version. As detailed in a forum post on the company's forum, the fix is now also available in the stable 7.9.1 version which just got released.

As the researcher explained, the software flaw can be exploited to run arbitrary code remotely "Since Evernote also has a feature of sharing notes, in such a case an attacker could leverage this vulnerability and send crafted notes (.enex) to the victim to perform further attacks."
 


Ric Ford

MacInTouch
"Supply chain" attacks are super-dangerous and widespread, apparently:
Wired said:
A Mysterious Hacker Group Is On a Supply Chain Hijacking Spree

A software supply chain attack represents one of the most insidious forms of hacking. By breaking into a developer's network and hiding malicious code within apps and software updates that users trust, supply chain hijackers can smuggle their malware onto hundreds of thousands—or millions—of computers in a single operation, without the slightest sign of foul play. Now what appears to be a single group of hackers has managed that trick repeatedly, going on a devastating supply chain hacking spree—and becoming more advanced and stealthy as they go.

Over the past three years, supply chain attacks that exploited the software distribution channels of at least six different companies have now all been tied to a single group of likely Chinese-speaking hackers. They're known as Barium, or sometimes ShadowHammer, ShadowPad, or Wicked Panda, depending on which security firm you ask. More than perhaps any other known hacker team, Barium appears to use supply chain attacks as their core tool. Their attacks all follow a similar pattern: Seed out infections to a massive collection of victims, then sort through them to find espionage targets.

The technique disturbs security researchers not only because it demonstrates Barium's ability to disrupt computers on a vast scale but also because it exploits vulnerabilities in the most basic trust model governing the code users run on their machines.
 


"Supply chain" attacks are super-dangerous and widespread, apparently:
Although there have been similar attacks against macOS in the past (e.g. Creative Updater/fake OnyX, Proton B/fake Handbrake) and there certainly may be more in the future, I don't believe that this particular group (Axiom/APT17) was ever found to be the source. There has been some hardening of macOS since the examples noted, but it is still important for Mac users to recognize that such an attack is possible.
 


Ric Ford

MacInTouch
FYI:
BBC News said:
WhatsApp discovers 'targeted' surveillance attack
Hackers were able to remotely install surveillance software on phones and other devices using a major vulnerability in messaging app WhatsApp, it has been confirmed.

WhatsApp, which is owned by Facebook, said the attack targeted a "select number" of users, and was orchestrated by "an advanced cyber actor".

A fix was rolled out on Friday.

On Monday, WhatsApp urged all of its 1.5 billion users to update their apps as an added precaution.

The attack was developed by Israeli security firm NSO Group, according to a report in the Financial Times.
The Verge said:
Update WhatsApp now to avoid spyware installation from a single missed call
A vulnerability discovered in Facebook’s WhatsApp messaging app is being exploited to inject commercial spyware onto Android and iOS phones by simply calling the target, reports The Financial Times. The spyware, developed by Israel’s secretive NSO group, can be installed without trace and without the target answering the call, according to security researchers and confirmed by WhatsApp.

Once installed, the spyware can turn on a phone’s camera and mic, scan emails and messages, and collect the user’s location data. WhatsApp is urging its 1.5 billion global users to update the app immediately to close the security hole.
 





I'd add that the Bloomberg story didn't really make any technical sense. The cover for the magazine shows the equivalent of a TO23 chip with a grand total of 6 connectors to tie into the motherboard with. Presumably, two will be needed for power, leaving 4... to listen in on what? Oh, and transmit, too! Etc.

The article basically suggests that the Chinese modified the server boards to allow the insertion of these wonderchips to take over the Intelligent Platform Management Interface (IPMI), which is a set of dedicated chips and network infrastructure to manage a modern motherboard. IPMI governs (among other things) updates to the BIOS, fan settings, even shell access. Thus, successfully breaching the IPMI system seems like a great idea...

But, have a look at the multi-layer PCBs in use for the average server motherboard and find me a spot presumably close to the Baseboard Management Controller (BMC) at the heart of the IPMI system where I can place a wonderchip, find power, get the necessary communications lines in order, etc. It won't be easy. That chip will have to have all sorts of things on board, boot faster than the IPMI, and inject its payload at just the right time.

Even if this test is met, ServeTheHome.com points out how little that gains, as IPMIs are typically kept on networks that, by design, allow no connection to the outside world (air gap, etc.). So if the compromised IPMI/BMC can't reach the internet, it cannot download the various payloads that these wonderchips can command the BMC to allegedly implant itself with. FWIW, I simply disconnect the ethernet cable from the dedicated BMC ethernet port to my switch when I don't need the BMC to be accessible. It's hard to hack across a 3' air gap.

Instead of these wonderchips, a much more likely scenario would be for China or any other state actor to intercept server hardware shipments post-manufacturing and modify them via software/hardware to allow spying. The NSA (per Snowden) has allegedly been doing this for decades via "Tailored Access Operations" (TAO) and like programs. The exploits of this group are legendary.
 


Objective Development said:
Little Snitch 4.4

Security
This version fixes a vulnerability which allows privilege escalation to root for any local user. Please upgrade before details of the vulnerability are published!

The vulnerability has been assigned the number CVE-2019-13013. More information will be made available later, when most users have upgraded to the latest version.
 


Ric Ford

MacInTouch



Ric Ford

MacInTouch
Jonathan Leitschuh said:
I subsequently got another email about it, referencing this story:
Vice said:
Zoom Vulnerability Lets Hackers Hijack Your Webcam

... Another issue is that even if a user has uninstalled the app, Zoom still leaves a web server up and running on the users' computer, allowing Zoom to still download software onto the machine. This isn't some oversight, but a deliberate decision by Zoom—this is designed for Zoom to be able to swiftly, and it seems surreptitiously, re-install the app if a user visits a Zoom conference link.

"What I found out was that this web server can also re-install the Zoom app if a user has uninstalled it," Leitschuh wrote.

Leitschuh said he searched for several hours in both official and unofficial documentation for any mention of this desktop web server. "This webserver’s API is completely undocumented as far as I can tell," he wrote.
 




It's worth mentioning that RingCentral web/video conferencing software also has the Zoom vulnerability. RingCentral conferencing is a white-label version of Zoom that is aimed at the small and mid-sized business market, and it is quite popular in the SMB space.

If you are responsible for maintaining systems with RingCentral installed, you'll want to review the availability of patches and whether other action should be taken.

You can disable the RingCentral vulnerability manually using steps that are analogous to (but not identical to) the Zoom remediation steps. TidBITS has more information:

 


Zoom has now updated their Mac client to fix this hole.
Release notes of 4.4.53932.0709:
Remove local web server
-We are discontinuing the use of a local web server on Mac devices. Following the update, the local web server will be completely removed from the Zoom installation

Option to uninstall Zoom
-Zoom users can now uninstall the Zoom desktop application and all of its components through the settings menu
 


Amazon disclaimer:
As an Amazon Associate I earn from qualifying purchases.

Latest posts