Search This Blog

Showing posts with label Mac. Show all posts

Lazarus Attacks Apple's M1 Chip, Lures Victims Via Fake Job Offers


New Attack by Lazarus

Advanced Persistent Threat (APT) Lazarus linked to North Korea is increasing its attack base with current operation In(ter)caption campaign, which targets Macs with M1 chip of Apple. The state-sponsored group continues to launch phishing attacks under the disguise of fake job opportunities. 

Threat experts at ESET (endpoint detection provider) alerted this week that they found a Mac executable disguised as a job details for an engineering manager position at the famous cryptocurrency exchange operator Coinbase. ESET's warning on twitter says that Lazarus posted the fake job offer to Virus total from Brazil. 

Operation In(ter)ception 

"The ongoing campaign and others from North Korea remain frustrating for government officials. The FBI blamed Lazarus for stealing $625 million in cryptocurrency from Ronin Network, which operates a blockchain platform for the popular NFT game Axie Infinity," reports DarkReading

Lazarus made the latest rebuild of the malware, Interception.dll, to deploy on Macs via loading three files- FinderFontsUpdater.app and safarifontsagent, fake Coinbase job offers and two executables. The binary can exploit Macs packed with Intel processors and with Apple's new M1 chipset. 

ESET experts began researching Operation In(ter)ception around three years back when the experts found attacks against military and aerospace companies. 

They observed that the operation's main goal was surveillance, but it also found incidents of the threat actors using a target's email account through a business email compromise (BEC) to finalize the operation. 

The interception.dll malware posts fake job offers to bait innocent victims, usually via LinkedIn. The Mac attack is the most recent one in a continuing aggressive front by Lazarus group to promote operation In(ter)ception, which has aggravated recently. ESET released a detailed white paper on the technique incorporated by Lazarus in 2020. 

It's an irony that the fake Coinbase job posting targets technically oriented people. The experts think that the threat actors were in direct contact, which means the victim was prompted to open whatever pop-up windows showed up on the screen to see the "dream job" offer from Coinbase. 

Apple revoked the certificate that would enable the malware to execute late last week after ESET alerted the company of the campaign. So now, computers with macOS Catalina v10.15 or later are protected, presuming the user has basic security awareness, saysPeter Kalnai, a senior malware researcher for ESET.


Microsoft Cautions Regarding a new Version of UpdateAgent Aimed at MacOS

 

Microsoft Security Intelligence researchers have found a new variant of UpdateAgent (aka WizardUpdate) which attacks Mac devices. The spyware, which was discovered in November 2020, may also install adware on macOS. According to the business, the new variation includes a variety of additional features that make it extremely challenging to identify and remove owing to greater persistence and escape methods. 

The virus may also exploit public cloud infrastructure to serve new payloads, which is another harmful capability. For example, when UpdateAgent is infected, it downloads additional adware known as Adload. 

“We recently discovered the latest variant of a Mac malware tracked as UpdateAgent (aka WizardUpdate) with new persistence and evasion tactics, the latest in a series of upgrades over the past year. Given its history, this Trojan will likely continue to grow in sophistication,” Microsoft tweeted. 

An additional feature of the virus is the ability to host multiple payloads on public cloud infrastructure. Adload is new adware that UpdateAgent installs as part of the extra malware.

The virus can gather computer information and transfer it to a command and control site. Notably, it is capable of circumventing Apple's Gatekeeper security function. It accomplishes this by removing the quarantine properties from the downloaded file. 

The core of macOS security is Gatekeeper; it prevents harmful apps from being installed by requiring code signing. UpdateAgent, like OSX/Dok malware, can easily circumvent Gatekeeper security, making it a persistent danger. 

Furthermore, PlistBuddy is used by cybercriminals to establish persistence. Malware often attempts to destroy produced directories, files, and other artifacts to hide its tracks. PlistBuddy is a built-in Mac software that allows users to edit.plist files. 

“The malware also leverages existing user permissions to create folders on the affected device. It uses PlistBuddy to create and modify Plists in LaunchAgent/LaunchDeamon for persistence. It then covers its tracks by deleting created folders, files, and other artifacts,” researchers tweeted. 

The new edition impersonates legal software as well; nevertheless, Microsoft did not specify whose software is being impersonated. The virus is suspected to be propagated via drive-by downloads.

Expert Releases PoC Exploit for MacOS Gatekeeper Bypass

 

Cybersecurity expert Rasmus Sten, an F-Secure software engineer, published a PoC exploit code for MacOS Gatekeeper bypass that Apple fixed earlier in 2021. The PoC (Proof of Concept) exploit attacks CVE-2021-1810 vulnerability, which leads to escaping three protection that Apple has built against harmful file downloads, particularly Gatekeeper, notarization and file quarantine. The vulnerability was discovered in the Archive Utility component of MacOs Big Sur and Catalina and can be compromised using specifically made ZIP file. 

For the compromise to be successful, the attacker has to fool the user into downloading and installing the archive to deploy malicious codes in the system. The vulnerability exploit would allow an attacker to execute unsigned binaries on MacOS systems, including Gatekeeper that enforces code signatures and user wouldn't be aware of the malicious code execution. According to Sten, the vulnerability is linked to a pattern where Archive Utility controls file paths. Especially, if the paths are larger than 886 characters, the com.apple.quarantine feature couldn't be enabled, which will allow Gatekeeper bypass for the malicious files. 

During the investigation of long path file names samples, Sten found that few MacOS parts showed unexpected pattern after the final path length touched a certain point. In the end, experts found that it may be possible to make an archive with a hierarchical structure, in this case, the path length would be long enough for Safari to call Archive Utility to unload it and wouldn't use com.apple.quarantine attribute, but small enough for Finder to browse and MacOS to deploy the malicious codes in the system. 

To lure the victim easily, attacker could hide archive folder structure using a symbolic link in root which is almost indifferent from a single application bundle in an archive root. "Sten, who also released a video demo of the exploit, has published PoC code that creates the archive with the path length necessary to bypass CVE-2021-1810, along with a symbolic link to make the ZIP file look normal.The vulnerability was addressed with the release of macOS Big Sur 11.3 and Security Update 2021-002 for Catalina," reports Security Week.

HPE: Sudo Flaw Grants Attackers Root Privileges to Aruba Platform

 

A vulnerability in Sudo, open-source software used within HP's Aruba AirWave management platform, can enable any unprivileged and unauthorized local user to acquire root privileges on a vulnerable host, as warned by Hewlett Packard Enterprise (HPE). 

According to a recent HPE security advisory, the Sudo vulnerability may be part of a "chained attack." An attacker gains a foothold with fewer rights via another flaw and then exploits this to escalate privileges. 

The Aruba AirWave management platform for wired and wireless infrastructures is HPE's real-time monitoring and security warning system. In January, researchers at Qualys discovered the Sudo issue (CVE-2021-3156) and think it affects millions of endpoint devices and systems. 

According to the Sudo license, Sudo is software used by various platforms that allows a system admin to distribute power to give particular users (or groups of users) the ability to perform certain (or all) commands as root or another user.” 

Mehul Revankar, Qualys' VP of Product Management and Engineering, defined the Sudo bug as "perhaps the most significant Sudo vulnerability in recent memory (both in terms of scope and impact) and has been hiding in plain sight for nearly 10 years" in a research note at the time it was discovered. 

For HPE, the company officially reported the issue last week, stating that it impacted the AirWave management platform prior to version 8.2.13.0, released on June 18, 2021. 

According to the security bulletin, “A vulnerability in the command line parameter parsing code of Sudo could allow an attacker with access to Sudo to execute commands or binaries with root privileges.” 

The Sudo vulnerability has been termed "Baron Samedit" by Qualys researchers, who claim the flaw was introduced into the Sudo code in July 2011. The problem was first thought to primarily affect Linux and BSD operating systems, including Ubuntu 20.04 (Sudo 1.8.31), Debian 10 (Sudo 1.8.27), and Fedora 33. (Sudo 1.9.2). 

Since then, further security advisories have been issued by other companies. HPE isn't the first company to report a Sudo dependency in its code, and it probably won't be the last. 

However, in February, an Apple security advisory warned that the Sudo vulnerability was present in macOS (macOS Big Sur 11.2, macOS Catalina 10.15.7, macOS Mojave 10.14.6). Following the announcement, Apple released a Sudo patch (Sudo version 1.9.5p2) to fix the vulnerability. 

Mitigate The Risk

According to experts, the flaw may be exploited to carry out privilege escalation attacks in the context of the Aruba AirWave management platform Sudo's flaw is a heap-based buffer overflow that allows any local user to deceive Sudo to operate in shell mode. 

Researchers explain that when Sudo is executed in shell mode, it "escapes special characters in the command's parameters with a backslash." Then, a policy plug-in eliminates any escape characters before deciding on the Sudo user's permissions.” 

Users should upgrade to version 8.2.13.0 or above of HPE's AirWave management platform to mitigate the potential risk, according to HPE. Sudo issued a fix earlier this year as well, for HPE AirWave, a technical fix is also available:

“To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends that the CLI and web-based management interfaces for AirWave be restricted to a dedicated layer 2 segment/VLAN and/or controlled by firewall policies at layer 3 and above,” as per HPE.

New AdLoad Malware Circumvents Apple’s XProtect to Infect macOS Devices

 

As part of multiple campaigns detected by cybersecurity firm SentinelOne, a new AdLoad malware strain is infecting Macs bypassing Apple's YARA signature-based XProtect built-in antivirus. 

AdLoad is a widespread trojan that has been aiming at the macOS platform since late 2017 and is used to distribute a variety of malicious payloads, including adware and Potentially Unwanted Applications (PUAs). This malware can also harvest system information and send it to remote servers managed by its operators. 

According to SentinelOne threat researcher Phil Stokes, these large-scale and continuing attacks began in early November 2020, with a spike in activity commencing in July and early August. 

AdLoad will install a Man-in-the-Middle (MiTM) web proxy after infecting a Mac to compromise search engine results and incorporate commercials into online sites for financial benefit. 

It will also acquire longevity on infected Macs by installing LaunchAgents and LaunchDaemons, as well as user cronjobs that run every two and a half hours in some circumstances. 

According to SentinelLabs, “When the user logs in, the AdLoad persistence agent will execute a binary hidden in the same user’s ~/Library/Application Support/ folder. That binary follows another deterministic pattern, whereby the child folder in Application Support is prepended with a period and a random string of digits. Within that directory is another directory called /Services/, which in turn contains a minimal application bundle having the same name as the LaunchAgent label. That barebones bundle contains an executable with the same name but without the com. prefix.” 

During the period of this campaign, the researcher witnessed over 220 samples, 150 of which were unique and went unnoticed by Apple's built-in antivirus, despite the fact that XProtect presently comprises of dozen AdLoad signatures. 

Many of the SentinelOne-detected samples are also signed with legitimate Apple-issued Developer ID certificates, while others are attested to operate under default Gatekeeper settings. 

Further, Stokes added, "At the time of writing, XProtect was last updated around June 15th. None of the samples we found are known to XProtect since they do not match any of the scanner’s current set of Adload rules." 

"The fact that hundreds of unique samples of a well-known adware variant have been circulating for at least 10 months and yet remain undetected by Apple’s built-in malware scanner demonstrates the necessity of adding further endpoint security controls to Mac devices." 

To effectively comprehend the significance of this threat, Shlayer's case can be considered which is another common macOS malware strain capable of bypassing XProtect and infecting Macs with other malicious payloads. 

Shlayer recently exploited a macOS zero-day to bypass Apple's File Quarantine, Gatekeeper, and Notarization security checks and download second-stage malicious payloads on compromised Macs. 

Even though these malware strains are just delivering adware and bundleware as secondary payloads, for the time being, their developers can, however, switch to distributing more serious malware at any point. 

Apple’s head of software, under oath, while testifying in the Epic Games vs. Apple trial in May said, "Today, we have a level of malware on the Mac that we don’t find acceptable and that is much worse than iOS."

Apple isn't Happy About the Amount of Mac Malware

 

During testimony defending Apple in a lawsuit with Fortnite developer Epic Games, a top Apple executive said that Mac malware has now surpassed Apple's tolerance level and framed safety as the justification for keeping iPhones locked to the App Store. According to a top Apple executive, this is why Apple must keep iPhone, iPad, and other mobile products behind the App Store's walled garden. 

Craig Federighi, Apple's head of software engineering, told a California court that the existing levels of malware were "unacceptable." "Today, we have a level of malware on the Mac that we don't find acceptable," he stated in response to questions from Apple's lawyers, as ZDNet sister site CNET reports. 

Apple is defending its activities after Epic Games filed a lawsuit in the United States stating because Apple kicked its Fortnight game off the App Store after Epic implemented a direct payment scheme for in-game currency, bypassing Apple's 30% developer fee. Apple, according to Epic, is too restrictive. 

On May 03, the Apple-Epic case began. Phil Schiller, the CEO of the App Store, stated yesterday that the App Store has always prioritized protection and privacy. According to Federighi, 130 different forms of Mac malware have been discovered since May, with one version infecting 300,000 systems. iOS devices can only install applications from Apple's App Store, while Macs can install software from anywhere on the internet. 

Mac malware is already outpacing Windows malware, according to Malwarebytes, a US protection company that offers Mac antivirus. However, the company pointed out that the risks to Macs, which mainly consisted of adware, were not as harmful as malware for Windows. Federighi contrasted the Mac to a car, while iOS was created with children's protection in mind, according to 9to5Mac. 

"The Mac is a car. You can take it off-road if you want and you can drive wherever you want. That's what you wanted to buy. There's a certain level of responsibility required. With iOS, you wanted to buy something where children can operate an iOS device and feel safe doing so. It's really a different product," he stated.

Federighi also said that things would change significantly if Apple allowed iOS users to sideload applications.

Apple's Find My Network: Can be Abused to Leak Secrets Via Passing Devices

 

Apple's Find My network, which is used to track iOS and macOS devices – as well as more recently AirTags and other kits – has been revealed to be a possible espionage tool. 

In brief, passing Apple devices can be used to send data over the air from one location to another, such as a computer on the other side of the world, without the need for any other network connection. 

Using Bluetooth Low Energy (BLE) broadcasts and a microcontroller designed to act as a modem, Fabian Bräunlein, co-founder of Positive Security, invented a way to send a limited amount of arbitrary data to Apple's iCloud servers from devices without an internet connection. A Mac application can then download the data from the cloud. He dubbed his proof-of-concept service Send My in a blog post on Wednesday. 

When activated in Apple devices, the Find My network acts as a crowdsourced location-tracking system. Participating devices transmit over BLE to other nearby Apple devices, which then relay data back to Cupertino's servers via their network link. Authorized device owners can then use the company's iCloud-based Find My iPhone or iOS/macOS Find My app to get location reports on enrolled hardware. 

Researchers from Germany's Technical University of Darmstadt – Alexander Heinrich, Milan Stute, Tim Kornhuber, and Matthias Hollick – released an overview of Apple's Find My network's protection and privacy in March, uncovering a few issues along the way. 

Bräunlein's aim was to see if the Find My network could be exploited to send arbitrary data from devices that didn't have access to the internet. "Such a technique could be employed by small sensors in uncontrolled environments to avoid the cost and power consumption of mobile internet," he states. "It could also be interesting for exfiltrating data from Faraday-shielded sites that are occasionally visited by iPhone users." Since he didn't find any rate-limiting mechanism for the number of location reports devices can send over the Find My network, he theorizes that his strategy may be used to deplete smartphone users' data plans. 

With each report being more than 100 bytes, broadcasting a large number of unique public encryption keys as part of the Find My protocol would increase the amount of mobile traffic sent. Bräunlein used an ESP32 microcontroller with OpenHaystack-based firmware to transmit a hardcoded default message and listen for new data on its serial interface for his data exfiltration scheme. These signals will be picked up by nearby Apple devices that have to Find My broadcasting switched on and transferred to Apple's servers. 

In order to satisfy Apple's authentication criteria for accessing location data, obtaining data from a macOS computer necessitates the use of an Apple Mail plugin that runs with elevated privileges. To view the unsanctioned transmission, the user must also install OpenHaystack and run DataFetcher, a macOS app created by Bräunlein.

Hackers Take Advantage of Adobe Zero-Day Vulnerability Impacting Acrobat Reader

 

A patch for Adobe Acrobat, the world's most popular PDF reader, addresses a vulnerability that has been actively exploited and affects both Windows and macOS systems, allowing for arbitrary code execution. 

Adobe is advising customers about a crucial zero-day vulnerability in its widely used Adobe Acrobat PDF reader software that is being actively exploited in the wild. As part of Adobe's Tuesday roundup of 43 fixes for 12 of its products, including Adobe Creative Cloud Desktop Application, Illustrator, InDesign, and Magento, a patch is now available. 

According to Adobe, the CVE-2021-28550 zero-day vulnerability "has been exploited in the wild in selective attacks targeting Adobe Reader users on Windows. Adobe Reader users on Windows may be the only ones that are currently being targeted. The bug, however, affects eight different versions of the software, including those for Windows and Mac. The versions include:

1.Windows Acrobat DC & Reader DC (versions 2021.001.20150 and earlier) 
2.macOS Acrobat DC & Reader DC (versions 2021.001.20149 and earlier) 
3.Windows & macOS Acrobat 2020 & Acrobat Reader 2020 (2020.001.30020 and earlier versions)
4.Windows & macOS Acrobat 2017 & Acrobat Reader 2017 (2017.011.30194  and earlier versions)

Adobe did not have any technical details about the zero-day flaw. Those details are usually available after users have had a chance to apply the patch. Users can manually update their product installations by going to Help > Check for Updates, according to Adobe's May security bulletin, which was released on Tuesday. 

Several other important bugs were included in Tuesday's roundup of 43 fixes. Adobe Acrobat received a total of ten crucial and four significant vulnerability patches. A total of seven of the bugs were arbitrary code execution bugs. Three of the vulnerabilities patched on Tuesday (CVE-2021-21044, CVE-2021-21038, and CVE-2021-21086) expose systems to out-of-bounds write attacks. 

On Tuesday, Adobe Illustrator got the highest number of patches, with five critical code execution vulnerabilities patched. Three of the flaws (CVE-2021-21103, CVE-2021-21104, and CVE-2021-21105), according to Adobe's definition, are memory corruption bugs that enable hackers to execute arbitrary code on targeted systems. The three memory corruption bugs were discovered by Kushal Arvind Shah, a bug-hunter with Fortinet's FortiGuard Labs.