Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Apple MacOS. Show all posts

New MacOS Malware Steals Browser Data and Cryptocurrency

 



While malware attacks on Windows and Android systems are more frequent, macOS is not immune to such dangers. Cybersecurity experts at Moonlock Lab have identified a new type of macOS malware that adeptly avoids detection and poses a serious threat to user data and cryptocurrency.


How the Malware Spreads

The infection starts when users visit websites that offer pirated software. On these sites, they might download a file called CleanMyMacCrack.dmg, thinking it’s a cracked version of the CleanMyMac utility. However, launching this DMG file triggers a Mach-O executable, which then downloads an AppleScript. This script is specifically designed to steal sensitive information from the infected Mac.


Malware Capabilities

Once the malware infiltrates a macOS system, it can carry out a range of malicious activities:

  • It captures and stores the Mac user's username.
  •  The malware sets up temporary directories to store stolen information temporarily.
  •  It retrieves browsing history, cookies, saved passwords, and other data from different web browsers.
  •  The malware identifies and accesses directories containing cryptocurrency wallets.
  •  It copies data from the macOS keychain, Apple Notes, and Safari cookies.
  •  It gathers general user information, system specifications, and metadata.
  •  All the collected data is eventually exfiltrated to the attackers.


Link to a Known Hacker

Moonlock Lab has traced this macOS malware back to a notorious Russian-speaking hacker known as Rodrigo4. This individual has been seen on the XSS underground forum, where he is actively seeking collaborators to help spread his malware through search engine optimization (SEO) manipulation and online advertisements.

Rodrigo4's method involves manipulating search engine results and placing ads to lure unsuspecting users into downloading the malicious software. By making the malware appear as a popular utility, he increases the chances of users downloading and installing it, unknowingly compromising their systems.


How to Protect Yourself

To prevent this malware from infecting your Mac, Moonlock Lab recommends several precautions:

1. Only download software from reputable and trusted sources.

2. Regularly update your operating system and all installed applications.

3. Use reliable security software to detect and block malware.

The crucial point is users should be cautious about downloading software from unverified websites and avoid using pirated software, as these are common vectors for malware distribution. Staying informed about the latest cybersecurity threats and adopting good digital hygiene practices can also drastically reduce the risk of infection.




New macOS Malware Threat: What Apple Users Need to Know

 

Recently, the Moonlock Lab cybersecurity team discovered a macOS malware strain that can easily evade detection, posing a significant threat to users' data privacy and security. The infection chain for this malware begins when a Mac user visits a website in search of pirated software. 

On such sites, users might encounter a file titled CleanMyMacCrack.dmg, believing it to be a cracked version of the popular Mac cleaning software, CleanMyMac. When this DMG file is launched on the computer, it executes a Mach-O file, which subsequently downloads an AppleScript designed to steal sensitive information from the infected Mac. Once the malware infects a macOS computer, it can perform a variety of malicious actions. It collects and stores the Mac owner's username and sets up temporary directories to hold stolen data before exfiltration. The malware extracts browsing history, cookies, saved passwords, and other sensitive data from web browsers. It also identifies and accesses directories that commonly contain cryptocurrency wallets. 

Additionally, it copies macOS keychain data, Apple Notes data, and cookies from Safari, gathers general user information, system details, and metadata, and then exfiltrates all this stolen data to threat actors. Moonlock Lab has linked this macOS malware to a well-known Russian-speaking threat actor, Rodrigo4. This hacker has been active on the XSS underground forum, where he has been seen recruiting other hackers to help distribute his malware using SEO manipulation and online ads. This discovery underscores the growing threat of sophisticated malware targeting macOS users, a group often perceived as being less vulnerable to such attacks. 

Despite Apple's strong security measures, this incident highlights that no system is entirely immune to threats, especially when users are lured into downloading malicious software from untrustworthy sources. To protect yourself from such threats, it is essential to take several precautions. First and foremost, avoid downloading pirated software and ensure that you only use trusted and official sources for your applications. Pirated software often hides malware that can compromise your system's security. Installing reputable antivirus software and keeping it updated can help detect and block malware on macOS. Regularly updating your macOS and all installed applications is crucial to patch any security vulnerabilities that may be exploited by attackers. 

Additionally, exercise caution with downloads from unfamiliar websites or sources. Always verify the legitimacy of the website and the software before downloading and installing it. Enabling macOS’s built-in security features, such as Gatekeeper and XProtect, can also provide an additional layer of protection against malicious software. Gatekeeper helps ensure that only trusted software runs on your Mac, while XProtect provides continuous background monitoring for known malware. The Moonlock Lab's findings highlight the need for greater awareness and proactive measures to safeguard personal data and privacy. Users should remain vigilant and informed about the latest security threats and best practices for protecting their devices. 

By staying informed and cautious, Apple users can better protect their devices from malware and other cybersecurity threats. Awareness of the potential risks and implementing the recommended security practices can significantly reduce the likelihood of falling victim to such malicious activities. As cyber threats continue to evolve, maintaining robust security measures and staying updated on the latest threats will be crucial in ensuring the safety and integrity of personal data on macOS devices.

New Cuckoo Malware Targeting macOS Users to Steal Sensitive Data

 

Cybersecurity experts have identified a new information stealer targeting Apple macOS computers that is intended to establish persistence on compromised hosts and function as spyware.

Kandji's malware, dubbed Cuckoo, is a universal Mach-O binary that can execute on both Intel and Arm Macs. The exact distribution vector is currently unknown, but there are indications that the binary is hosted on sites such as dumpmedia[.]com, tunesolo[.]com, fonedog[.]com, tunesfun[.]com, and tunefab[.]com, which claim to provide free and paid versions of applications for ripping music from streaming services and converting it to MP3 format. 

The disk image file downloaded from the websites is responsible for spawning a bash shell to collect host data and ensuring that infected machines are not located in Armenia, Belarus, Kazakhstan, Russia, Ukraine.

The malicious binary is executed only if the locale check is successful. It also achieves persistence through the use of a LaunchAgent, a strategy previously employed by other malware families such as RustBucket, XLoader, JaskaGO, and a macOS backdoor that bears similarities with ZuRu.

Cuckoo, like the MacStealer macOS stealer malware, uses osascript to create a fake password prompt, luring users into entering their system passwords for privilege escalation. "This malware queries for specific files associated with specific applications, in an attempt to gather as much information as possible from the system," researchers Adam Kohler and Christopher Lopez stated. 

It can execute a sequence of commands to gather hardware data, capture currently running processes, search for installed apps, take screenshots, and collect data from iCloud Keychain, Apple Notes, web browsers, cryptocurrency wallets, and apps such as Discord, FileZilla, Steam, and Telegram. 

"Each malicious application contains another application bundle within the resource directory," the researchers added. "All of those bundles (except those hosted on fonedog[.]com) are signed and have a valid Developer ID of Yian Technology Shenzhen Co., Ltd (VRBJ4VRP).” 

The news comes nearly a month after Apple's device management company revealed another stealer spyware called CloudChat, which masquerades as a privacy-oriented messaging programme and can compromise macOS users whose IP addresses do not geolocate to China. The spyware harvests cryptocurrency private keys transferred to the clipboard as well as data linked with wallet extensions installed in Google Chrome.

Apple Faces New Security Dilemma as Infostealers Execute Stealthy Attacks

 


There is an increase in the sophistication of info thieves targeting macOS, allowing them to evade Apple's malware protection built into the operating system as these attackers have become better at cracking static signature-detection engines like the platform's proprietary XProtect, which makes it harder to detect malicious programs. 

Currently, there are three active stealers, KeySteal, Atomic Infostealer, and CherryPie that can evade detection engines and have been able to get around multiple detection engines. XProtect's XProtect is currently evading a variant of the first two stealers, SentinelOne researchers revealed in a blog post earlier this week. 

In macOS, XProtect is a built-in antivirus program that searches downloaded files and apps for malware signatures and then removes any that contain malware. Information stealers targeting the macOS operating system have increased since the beginning of 2023, with many threat actors actively targeting Apple devices. 

There have been a great deal of versions of Atomic Stealer, macOS meta-stealer, RealStealer, and many others that have been discovered in the past year. In macOS, Apple updated its built-in antivirus signature database called XProtect, which indicates that Apple has taken the necessary steps to prevent these info thieves from getting their hands dirty. 

The threat actors, on the other hand, have been continuously evolving and evading known signatures of malware. Although Apple continuously updates the tool's malware database, SentinelOne says it passes through it almost instantly due to the fast response of the malware authors over Apple's constant updates. 

Many info thieves bypass it in a matter of seconds and can identify endpoints that are hidden in downloaded files and apps. It is important to note that SentinelOne's report cites KeySteal as the first malware example, which has evolved significantly since the malware was first reported in 2021. 

The software is currently available via an Xcode-built Mach-O binary, named either 'UnixProject' or 'ChatGPT,' and it attempts to establish persistence and steal keychain data, as well as stealing credentials and private keys, which are stored securely in Keychain. 

Using Keychain, users can securely store credentials, private keys, certificates, and notes securely. A SentinelOne report states that KeySteal has been improved to ensure persistence and Keychain data theft since its emergence in 2021, even though Apple updated its signature last February in an attempt to prevent it from being detected by XProtect and other antivirus engines. 

A researcher claims that KeySteal operators could also use a rotation mechanism to circumvent problems related to the application's hard-coded command-and-control addresses, as a way of subverting those issues. There is some good news in all this, as Apple updated its XProtect signatures for CherryPie in early December 2023, which is a good sign that it has worked well for new versions of the OS as well. 

However, malware detection has not always worked as well on Virus Total as it does on other security products. As is evident from the above, there is an ongoing development of malware programs intended to evade detection and so, on the one hand, this game of whack-a-mole is becoming a much more complex and dangerous one for both users and operating system vendors.

Having only static detection as a means of securing your systems would be inadequate, and potentially dangerous. Antivirus software equipped with heuristic or dynamic analysis capabilities should be incorporated into a comprehensive approach to achieve a more robust result. As part of a comprehensive cybersecurity strategy, it is also essential to monitor network activity vigilantly, implement firewalls, and consistently keep up with the latest security updates, which are fundamental to ensuring security.

Apple Adopts Universal Texting Standard

Apple has made a significant move away from the iMessage exclusivity that has dominated its environment for more than ten years and toward the adoption of a universal texting standard. This action is anticipated to close the messaging gap between Android and iPhone users, representing a big step toward seamless cross-platform communication.

For years, iPhone users have enjoyed the benefits of iMessage, an exclusive messaging platform that offers enhanced features, including read receipts, high-quality media sharing, and end-to-end encryption. However, the downside was the notorious "green bubble" dilemma, where Android users received messages in a different format, devoid of the enhanced functionalities available on iMessage. This created a sense of division in the messaging experience.

Apple's decision to embrace a universal texting standard is a welcome change, as it signals a departure from the walled-garden approach that has defined the company's messaging strategy. The move is expected to eliminate the disparities between iPhone and Android users, creating a more inclusive and integrated messaging environment.

Adopting a universal texting standard is not only a boon for users but also a strategic move by Apple to stay relevant in a rapidly evolving tech landscape. With increasing users relying on cross-platform communication, the demand for interoperability has never been higher. Apple's decision to collaborate with Android in this endeavour is a testament to the company's commitment to user-centric innovation.

While the specifics of the universal texting standard are yet to be fully revealed, the potential benefits are already generating excitement among tech enthusiasts. Interoperability between iOS and Android devices will enhance the overall user experience and foster a sense of unity in the digital communication space.

The IT community is excited about the beneficial effects of Apple's revolutionary decision to remove the boundaries that have long divided iPhone and Android users in the area of texting. In terms of encouraging open communication, the development of a global texting standard is a big step forward, paving the way for a more connected and cooperative digital future.

KandyKorn: Apple MacOS Malware Targets Blockchain Engineers of Crypto Exchange Platform


A new malware linked to the North Korean threat group Lazarus was discovered on Apple’s macOS, and it appears that it was intended for the blockchain engineers of a crypto exchange platform. 

KandyKorn Malware 

According to a study conducted by Elastic Security Labs, the malware, dubbed as ‘KandyKorn’ is a sophisticated backdoor that could be used to steal data, directory listing, file upload/download, secure deletion, process termination, and command execution.

At first, the attackers used Discord channels to propagate Python-based modules by pretending to be active members of the community.

Apparently, the social engineering attacks pose as an arbitrage bot intended to generate automatic profits by coercing its members into downloading a malicious ZIP archive called “Cross=platform Bridges.zip.” However, there are 13 malicious modules that are being imported by the file to work together in order to steal and alter the stolen information. 

The report reads, “We observed the threat actor adopting a technique we have not previously seen them use to achieve persistence on macOS, known as execution flow hijacking.”

Users of Unibot were notified by blockchain analytics company Scopescan about an ongoing hack, which was subsequently verified by an official source:

“We experienced a token approval exploit from our new router and have paused our router to contain the issue.” Later, Unibot guaranteed that it would compensate all the victims who lost their funds in the exploit. 

Lazarus Group/ Lazarus is a North Korean state-sponsored cyber threat group, linked to the Reconnaissance General Bureau that operates out of North Korea. As part of a campaign called Operation Blockbuster by Novetta, the group, which has been operating since at least 2009, is said to have been behind the devastating wiper attack against Sony Pictures Entertainment in November 2014. The malware that Lazarus Group uses is consistent with other known campaigns, such as DarkSeoul, Operation Flame, Operation 1Mission, Operation Troy, and Ten Days of Rain.

However, in certain definitions of the North Korean group, security researchers apparently report all North Korean state-sponsored cyber activities under the term Lazarus Group instead of tracking clusters or subgroups like Andariel, APT37, APT38, and Kimsuky.

The crypto industry remains a main target for Lazarus, with a primary motivation of profit rather than espionage, which is their second primary operational focus.

The fact that KandyKorn exists proves that macOS is well within Lazarus's target range and highlights the threat group's amazing ability to create subtle and sophisticated malware specifically designed for Apple devices.  

XLoader macOS Malware Variant Disguised as 'OfficeNote' Productivity App

 

A fresh variant of the Apple macOS malware known as XLoader has emerged, disguising its malicious intent through an office productivity app named "OfficeNote," according to cybersecurity experts from SentinelOne. 

In an analysis released on Monday, researchers Dinesh Devadoss and Phil Stokes revealed that the new form of XLoader is packaged within a regular Apple disk image, named OfficeNote.dmg. The application it contains bears the developer signature "MAIT JAKHU (54YDV8NU9C)."

XLoader, initially spotted in 2020, is categorized as an information stealer and keylogger that operates under the malware-as-a-service (MaaS) model. 

It follows in the footsteps of Formbook. While a macOS variant of XLoader emerged in July 2021, distributed as a Java program in the form of a compiled .JAR file, its execution was limited by the absence of the Java Runtime Environment in modern macOS installs.

To circumvent this constraint, the latest version of XLoader employs programming languages like C and Objective C. The disk image file carrying the malware was signed on July 17, 2023, a signature that has since been revoked by Apple.

SentinelOne reported discovering multiple instances of the malicious artifact on VirusTotal throughout July 2023, indicating a wide-reaching campaign. The researchers noted that the malware is advertised for rent on criminal forums, with the macOS version priced at $199 per month or $299 for three months.

Interestingly, this pricing is steeper than that of the Windows versions of XLoader, which are available for $59 per month or $129 for three months.

Once initiated, the seemingly harmless OfficeNote app displays an error message claiming it cannot be opened due to a missing original item. In reality, it surreptitiously installs a Launch Agent in the background to ensure its persistence.

XLoader's functionality centers around the collection of clipboard data and information stored within directories associated with web browsers like Google Chrome and Mozilla Firefox. However, Safari appears to be exempt from its targeting. 

Additionally, the malware is engineered to introduce sleep commands, delaying its execution and evading detection by both manual and automated security measures.

"XLoader continues to present a threat to macOS users and businesses," the researchers concluded.

"This latest iteration masquerading as an office productivity application shows that the targets of interest are clearly users in a working environment. The malware attempts to steal browser and clipboard secrets that could be used or sold to other threat actors for further compromise."

New Malware can Allow Control of macOS Without Users Noticing


Cybersecurity company Guardz recently exposed a new malware, used by hackers to take control of unprotected Macs, remotely. Guardz describes how a threat agent has been selling the tool on a Russian cybercrime forum since April 2023 in a blog post. 

Hidden Virtual Network Computing (HVNC)

HVNC is a malware, sharing similarities with a VNC (Virtual Network Computing), a tool used in remotely controlling computers over the internet or other networks. 

An employer with an IT department might, for instance, utilize VNC to diagnose a worker's computer, and the worker can see that the computer is being accessed. However, with an HVNC, the target user is unaware of the access, allowing a threat actor to utilize an HVNC for malicious practices.

Reportedly, the malware has been distributed to the Russian cybercrime forum – Exploit. For a "lifetime price of $60,000," the threat agent is selling the HVNC, and for an extra $20,000, the customer can add "more malicious capabilities to the arsenal."

However, Guardz did not mention any instance of such a case except in Mac. Moreover, the CVE.report database that identifies various vulnerabilities and exploits did not yet make an entry of the HVNC malware, and neither did Apple release an official statement.

How to Protect Oneself Against the Malware

While malware attacks are inevitable, users can protect themselves by taking certain measures.

First, one must make sure to update their macOS to the latest version. Moreover, Apple provides safeguards within macOS, along with releasing security patches regularly through OS updates, thus it becomes necessary to adopt them whenever they are made available to the users.

With macOS Ventura 13.5 being the latest version, a user who is using any other version is in fact running an older version, which needs to be updated. However, Apple has released security updates for its operating systems like Monterey and Big Sur – Monterey 12.6.8 and Big Sur 11.7.9 on July 24. 

Since malware are often presented as legitimate software distributed to users via email or on web forums and slipshod websites, another way that can keep users from falling prey to the malware is by only downloading software from trusted sources, like App Store or directly from the developers.

Moreover, users can make use of the several guides provided online, such as the guides on ‘whether or not you need antivirus software,’ list of Mac viruses, malware, and Trojans, and a comparison of Mac security software.

Rustbucket Malware Targeting MacOS Devices Silently

 

Rustbucket, a brand-new type of malware, has just lately surfaced and is now a serious threat to macOS devices. This sneaky spyware works stealthily to infect Mac systems without raising any red flags. Rustbucket has drawn the attention of security professionals due to its capacity to pass itself off as a secure PDF viewer. The goal of this paper is to educate readers on Rustbucket's secrecy, its possible origins, and the security measures that users should take to safeguard their macOS computers.

Rustbucket has been making waves in the cybersecurity community due to its covert infiltration tactics. It disguises itself as a seemingly innocent PDF viewer, tricking users into unknowingly granting it access to their Mac systems. Once inside, the malware remains dormant, evading detection by security software and Mac users alike. Experts have emphasized the sophistication of Rustbucket's techniques, enabling it to silently gather sensitive information and execute malicious activities undetected.

Researchers have linked Rustbucket to North Korean state-sponsored advanced persistent threat (APT) attacks. While further investigation is needed to confirm its origins definitively, the resemblance to previously observed North Korean APT malware is striking. This discovery raises concerns about potential state-sponsored cyber espionage and highlights the need for heightened vigilance in macOS security.

Users of macOS face serious threats because of the existence of Rustbucket. Once installed, it can enable the execution of more malicious actions, undermine user privacy, and provide unwanted access to sensitive data. Additionally, Rustbucket grows harder to locate and remove as it surreptitiously infiltrates the system, possibly causing long-term harm.

Protective Measures:
  • Keep software up to date: Regularly updating the operating system and applications help protect against known vulnerabilities that malware exploits.
  • Exercise caution with email attachments: Be cautious when opening email attachments, particularly those from unknown or suspicious sources. Verify the legitimacy of the attachment and sender before proceeding.
  • Employ robust security software: Install reputable antivirus software specifically designed for macOS systems. Regularly update and scan your device to detect and remove potential threats.
  • Practice safe browsing habits: Exercise caution when visiting unfamiliar websites or downloading files. Stick to trusted sources and use caution when prompted to install third-party plugins or applications.
For macOS users, Rustbucket poses a serious security risk because it surreptitiously infiltrates their systems while pretending to be a helpful PDF viewer. With possible ties to North Korean APT strikes, its covert operation raises questions about data privacy and cybersecurity. Users may defend their macOS devices against Rustbucket and related threats by remaining watchful, updating their applications, and using strong security measures.




To Support Passkeys, 1Password has Joined Passage

Passkey functionality, which enables users to securely log in to apps and websites without a password, will be made accessible to 1Password's customers by early 2023, the company announced.

Passkeys, which employ the WebAuthn standard developed by the FIDO Alliance and the World Wide Web Consortium, replace passwords with cryptographic key pairs that enable users to sign into accounts. These key pairs consist of a public key that can be shared and a private key that cannot be shared.

For users of Android devices, installing passwords on an Android phone or tablet is also simple. Passwords are simple to set up on an iPhone or iPad. In addition to extensions for various browsers, there still are versions for Linux, Windows 11, and macOS Ventura. The issue is that these platforms are beginning to ignore the password for the passkey.

Next year, 1Password will add support for passkeys, enabling users to log in without a password. Even for current users, the business has built up an interactive demo so they can see how the feature will operate once it is released.

Passkeys eliminate the requirement for a two-factor authentication code and are more resistant to phishing and compromised credentials than passwords in terms of password brute force attacks like password spraying.

It is accurate that 1Password claims that its version will have a few benefits over its rivals. Because it works with so many different operating systems, 1Password asserts that its passkeys are the only ones that support numerous devices and enable cross-platform synchronization.

The main benefits of passkeys, according to 1Password, are that they come with strong default encryption and do not need to be memorized because they are saved on the device, while the private key is kept private from the website being signed into. Furthermore, the private key cannot be deduced from the public key.

The world of authentication will alter as a result of passwordless technologies. This partnership must make it substantially simpler for businesses to integrate a safe, password-free authentication flow into their products in order for it to grow.


Experts Discover New CloudMensis Spyware Targeting Apple macOS Users

 

Researchers in cybersecurity have revealed previously unknown malware targeting Apple's macOS operating system. The malware, nicknamed CloudMensis by the Slovak cybersecurity firm ESET, is reported to exploit popular cloud storage systems like pCloud, Yandex Disk, and Dropbox only for receiving attacker orders and exfiltrating files. 

"Its capabilities clearly show that the intent of its operators is to gather information from the victims' Macs by exfiltrating documents, keystrokes, and screen captures," ESET researcher Marc-Etienne M.Léveillé stated in a report published. 

CloudMensis was found in April 2022, written in Objective-C, and is intended to attack both Intel and Apple semiconductor architectures. The initial infection vector for the attacks, as well as the targets, are yet unclear. However, the malware's limited dissemination suggests that it is being utilised as a part of a carefully targeted operation targeting businesses of interest. 

ESET discovered an attack chain that exploits code execution and administrative rights to launch a first-stage payload that is used to retrieve and run a second-stage malware housed on pCloud, which exfiltrates documents, screenshots, and email attachments, among other things. 

The first-stage downloader is also known to delete evidence of Safari sandbox escape and privilege escalation attacks in 2017 that make use of four now-resolved security flaws, implying that CloudMensis may have gone undetected for many years. The implant also includes capabilities that allow it to circumvent the Transparency, Consent, and Control (TCC) security system, which requires all programmes to seek user permission before accessing files in Documents, Downloads, Desktop, iCloud Drive, and network volumes. 

It accomplishes this by exploiting another fixed security flaw known as CVE-2020-9934, which was discovered in 2020. The backdoor also allows you to access a list of running processes, capture screenshots, list files from removable storage devices, and launch shell commands and other arbitrary payloads. 

Furthermore, an examination of information from the cloud storage infrastructure reveals that the pCloud accounts were established on January 19, 2022, with compromises beginning on February 4 and spiking in March. 

M.Léveillé said, "The general quality of the code and lack of obfuscation shows the authors may not be very familiar with Mac development and are not so advanced. Nonetheless, a lot of resources were put into making CloudMensis a powerful spying tool and a menace to potential targets."

Apple Launched a Safety Fix for a Zero-day Flaw

 

Apple released an emergency patch for iPhone, Mac, and iPad early last month that addressed two zero-day vulnerabilities in the various operating systems. Now, just days after the launch of iOS 15.5, Apple is asking Mac and Apple Watch owners to upgrade. 

Zero-day vulnerabilities are defects in software that the vendor is ignorant of and has not yet patched. Before a fix is released, this type of vulnerability may have publicly available proof-of-concept hacks or be actively exploited in the wild. Apple stated in security warnings released on Monday that they are aware of reports this security flaw "may have been actively exploited."

CVE-2022-22675 is a bug in AppleAVD, an audio and video extension that allows programs to run arbitrary code with kernel privileges. Apple patched the flaw in macOS Big Sur 11.6., watchOS 8.6, and tvOS 15.5 with enhanced bounds checking after unknown researchers reported it. Apple Watch Series 3 or later, Macs running macOS Big Sur, Apple TV 4K, Apple TV 4K (2nd generation), and Apple TV HD are all among the affected. 
  • In 2022, Apple had five zero-day vulnerabilities. Apple patched two more zero-day vulnerabilities in January, allowing hackers to execute arbitrary code with kernel privileges (CVE-2022-22587) and track online surfing habits and user identities in real-time (CVE-2022-22594). 
  • Apple also issued security upgrades to address a new zero-day vulnerability (CVE-2022-22620) that was used to compromise iPhones, iPads, and Macs.
  •  Two more actively exploited zero-days in the Intel Graphics Driver (CVE-2022-22674) and the AppleAVD media decoder were discovered in March (CVE-2022-22675). The latter is also backported in older macOS versions, including watchOS 8.6 and tvOS 15.5. 

Apple did not previously disclose specifics about the flaw to prevent hackers from using the knowledge. While, throughout last year, Apple fixed a slew of zero-day vulnerabilities that had been discovered in the wild and targeted iOS, iPadOS, and macOS devices. 

How do I upgrade my Mac? 
  • In the corner of the screen, select the Apple menu, and 'System Preferences' will appear. 
  • Click 'Software Update' in the following menu. 
  • Then select 'Update Now' or 'Upgrade Now' from the menu. 
If you're still using an older version of the operating system, such as Big Sur, click 'Upgrade Now' to upgrade to the most recent version. Monterey is approximately 12GB in size. 

How to manually update your Apple Watch: 
  • Open the Apple Watch app on your iPhone, then tap the 'My Watch' tab. 
  • Select 'Software Update' from the General menu. 
  • Install the update. If your iPhone or Apple Watch passcode is requested, enter it. 
  • On your Apple Watch, wait for the progress wheel to display. The update could take anything from a few minutes to an hour to finish.

Attackers Could Gain Access to User Data due to a 'Powerdir' Flaw in macOS

 

On January 11th, Microsoft disclosed a vulnerability in Apple's macOS that might let an attacker to get unauthorised access to protected user data by circumventing the operating system's Transparency, Consent, and Control (TCC) technology. On July 15, 2021, the Microsoft Security Vulnerability Research (MSVR) team disclosed its discovery to Apple's product security team. In a security update released on December 13, Apple fixed CVE-2021-30970, dubbed "Powerdir." 

TCC is an Apple subsystem that was first introduced in macOS Mountain Lion in 2012. The technology was created to assist users in configuring the privacy settings of their device's applications, such as access to the camera or microphone, or access to their calendar or iCloud account. 

Previously, apps could directly access TCC databases to see and even edit their contents. Apple made two adjustments in response to the possibility of bypass. First, Apple used System Integrity Protection (SIP) to safeguard the system-wide TCC.db, a macOS feature that prohibits illegal code execution. Second, Apple implemented a TCC policy requiring that only apps with full disk access can access the TCC.db files.

The vulnerability discovered by Microsoft would allow attackers to circumvent this feature and start an attack on a macOS device. When an app asks for access to protected user data, one of two things can happen: If the app and request type have a record in the TCC databases, a flag in the database entry indicates whether the request should be allowed or denied without the need for user intervention. If they do not have a record, the user is asked whether they want to allow or restrict access. 

Researchers discovered that it is easy to programmatically modify a target's home directory and plant a bogus TCC database, which maintains the consent history of app requests, wrote Jonathan Bar, with the Microsoft 365 Defender Research Team, in a blog post on the findings. If abused on an unpatched system, this issue might allow an attacker to launch an attack using the victim's protected personal data, according to him. 

This is the latest in a long line of TCC flaws fixed by Apple in recent years. Apple fixed CVE-2021-30713, a flaw that allowed attackers to bypass TCC protections and deliver XCSSET malware, last year. According to Jamf researchers who identified the problem, once on a machine, XCSSET used the bypass to take a screenshot of the user's desktop without requiring rights. 

Other reported vulnerabilities linked to TCC bypass in the previous year included CVE-2020-9771 and CVE-2020-9934. Apple's remedy for the latter piqued Microsoft's interest, and during their investigation, the team found an exploit that an attacker could use to change settings on any app.

Hackers Exploit macOS Zero-Day Vulnerability: Google Warns

 

Google's Threat Analysis Group (TAG) determined that cybercriminals targeting visitors to Hong Kong websites potentially have been exploiting a previously unreported zero-day issue in macOS to record keystrokes and screen captures. Apple patched the problem, known as CVE-2021-30869, in September, around a month after Google researchers identified it. Apple indicated that it was made aware of claims that a bug vulnerability was in the wild and that a malicious program might utilize it to run arbitrary code with kernel privileges. 

Google has also disclosed further details, stating that this was a "watering hole" assault, in which attackers choose websites to hack based on the characteristics of usual users. The cyberattacks were aimed at Mac and iPhone users. 

"A malicious application may be able to execute arbitrary code with kernel privileges. Apple is aware of reports that an exploit for this issue exists in the wild," Apple said, crediting Google TAG researchers with reporting of the flaw. 

The watering hole exploited an unpatched XNU privilege escalation vulnerability in macOS Catalina at the time, resulting in the installation of a backdoor. 

"The websites leveraged for the attacks contained two iframes which served exploits from an attacker-controlled server -- one for iOS and the other for macOS," said Erye Hernandez of Google TAG. 

"We believe this threat actor to be a well-resourced group, likely state-backed, with access to their own software engineering team based on the quality of the payload code," he added. 

The criminals used the earlier revealed XNU flaw, CVE-2020-27932, and an associated exploit to build an escalation of privilege problem that granted them root privileges on a targeted Mac. And once attackers got root privileges, they downloaded a payload that operated silently in the backdrop on affected Macs. According to Google TAG, the malware's architecture signals a well-resourced attacker. 

"The payload seems to be a product of extensive software engineering. It uses a publish-subscribe model via a Data Distribution Service (DDS) framework for communicating with the C2. It also has several components, some of which appear to be configured as modules," notes Hernandez. 

The backdoor had the typical suspicious characteristics of malware designed to spy on a victim, such as device fingerprinting, screengrabs, the capacity to upload and download data, and the ability to implement terminal instructions. In addition, the spyware can record audio and track keystrokes. Google did not reveal the websites that were targeted but did mention that they included a "media outlet and a prominent pro-democracy labor and political group" relating to Hong Kong news.

Remotely Exploitable Zero-Day Vulnerability In MacOS Allows Code Execution

 

A zero-day security flaw in the macOS Finder system in Apple might enable remote attackers to deceive users to perform unauthorized commands, however, a silent patch didn't resolve that, states researchers. 

The macOS Finder is the standard file manager and the GUI front-end used in all Macintosh operating systems. This is the first item users see when booting, and it regulates the activation of additional programs and overall user management of file, disc, and network volume. In other terms, it is the master program for all the other things on the Mac. 

This time the flaw resides in the handling of the macOS Finder, as per an SSD Secure Disclosure Notice.Inetloc files. Inettloc files may be used to open files remotely in a browser on someone's Mac by utilizing the "file:/" format (instead of http://) as shortcodes to the Internet destination (such as an RSS feed or a telnet site). The last function, experts argued, is at stake with day zero. 

Independent Park Minchan security researcher revealed the SSD vulnerability, stating that the problem affects the macOS Big Sur version as well as all the previous ones. In reply, Apple decided not to declare a CVE and repaired the matter discreetly instead. But, experts claimed, the patch was bungled. 

The .Inetloc files can also be particularly developed with contained instructions for the exploitation scenario for the flaw. The manufactured data may then be linked, researchers noted, too (or connected to) hostile e-mails. If people are socially engineered to click these, the instructions inside them immediately run in stump mode without the warning or consent of the victims. 

“A vulnerability in the way macOS processes. Inetloc files cause it to run commands embedded inside, the commands it runs can be local to the macOS allowing the execution of arbitrary commands by the user without any warning/prompts,” according to the advisory. 

New macOS (like Big Sur) versions reportedly banned the file:/ prefix… They stated that they did the case matching causing File:/ or fIle:/ to circumvent the inspection. 

“We…have not received any response from them since the report has been made,” according to the advisory. “As far as we know, at the moment, the vulnerability has not been patched.” 

Whether it is used in the wild or not, no information is out there. Meanwhile, Apple did not respond to the comment request.

2010-2020 Decade Roundup: 10 Most Frequently Occurred Security Vulnerabilities

 


A decade has come to an end but the security vulnerabilities of this decade in the IT sectors cannot be forgotten. In this article, we will be learning about the 10 most frequently occurred cyber vulnerabilities, which allowed threat actors to breach applications, steal user credentials, and tried to hurt millions at once. 

Understandably, this list will not be enough to enlist all vulnerabilities that strangled the IT world in the entire decade. Hence, in this article, we will be focusing on the vulnerabilities that had affected Unix, Linux, macOS, servers, and cloud computing. 

1. BlueBorne: This security attack occurred via a Bluetooth implementation in Android, iOS, Linux, and Windows. Reports showed that the blueBorne bug had affected over 8.2 billion devices worldwide. It was on 12 September 2017 when the vulnerabilities were reported by Armis, an IoT security firm, for the first time. This bug of affecting many electronic devices such as smartphones, laptops, smart cars, and wearable gadgets. 

2. Badlock: It was on 12 April 2016 when it has been discovered that a crucial security bug is affecting devices with CVE-2016-2118. The security bug that had been found in Microsoft Windows and Samba was affecting the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) remote protocols supported by Windows and Samba network. 

3. DirtyCow: It was a very serious computer security vulnerability that was found in the Linux kernel. It had affected all Linux-based running devices, such as Android devices but there was an exception, this bug was only affecting those systems that were using older versions of the Linux kernel created before 2018. This bug is a local privilege escalation that exploits a race hazard in the implementation of the copy-on-write tool in the kernel's memory-management subsystem. It must be noted that those computers and devices that still use the older kernels remain vulnerable. 

4. ForShawod: This decade has crippled Modern Intel/AMD processors with many security bugs. L1 Terminal Fault or Foreshadow affects modern microprocessors. The first version discloses sensitive information from PC and cloud network, whereas, the second version targets –Hypervisors (VMM), Virtual machines (VMs), System Management Mode (SMM) memory, and the Operating systems (OS) kernel memory. 

5. Heartbleed: It was a very dangerous cyber attack in the popular OpenSSL cryptographic software library that allowed stealing sensitive information under normal conditions by SSL/TLS encryption which is used to secure the Internet. SSL/TLS provides services such as communication security and privacy over the internet for applications including email, instant messaging (IM), Web, and some virtual private networks (VPNs). After this vulnerability Google had established ‘Project Zero’, its task is to secure the Web and society. 

6. iSeeYou: It was affecting Apple laptops, hackers were leveraging the vulnerability to exploit remote access and taking photographs of a person. Apple’s laptops involved a variety of operating systems, such as macOS, Linux, and Microsoft Windows. Therefore, litigations against this attack vary depending upon the operating system. In response to the discovery of this attack, the organization released iSightDefender to reduce the attack. 

7. Lazy: This security vulnerability affects Intel CPUs. The malicious actor uses this vulnerability to leak the FPU registers’ content which belongs to another process. This vulnerability is associated with Spectre and Meltdown vulnerabilities. Patches such as OpenBSD, Linux, Xen, and others have been released to address the vulnerability. 

8. Linux.Encoder: It is also known as ELF/Filecoder.A and Trojan.Linux.Ransom.A. It is the first ransomware Trojan that targets computers, servers, cloud, and devices functioning Linux. Also, there are additional variants of this Trojan that target Unix and Unix-like systems. 

9. POODLE: This attack is also known as the man-in-the-middle that exploits Internet and security software clients’ fallback to SSL 3.0. Any software which supports a fallback to SSL 3.0 is affected. To overcome its effects people have to disable SSL 3.0 on the client-side and the network-side. Various platforms such as Microsoft, Google, Apple, OpenSSL, and others have released software patches so they can protect their platforms against the POODLE security attack. 

10. Rootpipe: Rootpipe security vulnerability had been seen in OS X that gives privilege escalation. Exploiting security vulnerabilities on a system allows a hacker to gain superuser (root) access and with other bugs on a Mac, such as an unpatched Apache web browser, hackers can take advantage of root pipe to gain complete command of the running system and Apple computers or Network. According to the researchers in November 2017, a similar attack had been seen in macOS High Sierra which was giving easy access to the hackers into the system without a password and root account.