The top macOS malware: Shlayer

Generally, macOS is considered one of the safest OS but cybercriminals are skilled enough to find loopholes and security lapses in macOS as well. As per the latest research report from Kaspersky Lab, the most widespread macOS threat in the year 2019 was the Shlayer malware.

According to security firm Kapersky, Macs have been the frequent target of what’s called the Shlayer Trojan. The company reports that this has been active since at least early 2018, but in 2019 specifically it was the most common threat to macOS. Around 10% of all Macs were attacked with it, and by itself, Shlayer represents 30% of all the Trojans detected on macOS.

According to Kaspersky, a common method is to display faked messages about Adobe Flash being out of date. The “Download Flash” button actually downloads the Trojan. This Trojan installs Any Search bar on the targeted Mac device to deploy adware so that illegal ads could be displayed. Apart from adware, the malware can intercept and collect browser data from the target device and alter search results to deliver a large number of ads.

mac-fake-Flash-l

The Trojan installs multiple adware including AdWare.OSX.Cimpli, AdWare.OSX.Bnodlero,  AdWare.OSX.Pirrit,  and AdWare.OSX.Geonei.

Significantly, Kaspersky says that even though the Trojan was detected almost two years ago, it is still prevalent.

Google researchers disclose multiple privacy flaws in Apple’s Intelligent Tracking Prevention Safari Feature

Google researchers have discovered multiple security flaws in Apple’s Safari web browser that let users’ browsing habits be tracked despite Apple’s Intelligent Tracking Prevention feature.

The report from the Financial Times cites a soon-to-be-released paper in which researchers from Google’s cloud team explain the vulnerabilities. According to the report, Google researchers have identified five different attacks that could result from the security flaws in Safari.

Google researchers say that Safari left personal data exposed because the Intelligent Tracking Prevention List “implicitly stores information about the websites visited by the user.” Malicious entities could use these flaws to create a “persistent fingerprint” that would follow a user around the web or see what individual users were searching for on search engine pages.

Intelligent Tracking Prevention, which Apple began implementing in 2017, is a privacy-focused feature meant to make it harder for sites to track users across the web, preventing browsing profiles and histories from being created.

Google made Apple aware of these vulnerabilities in August of last year, and the Financial Times says Apple rolled out a fix to Safari’s Intelligent Tracking Prevention feature in December. Apple referenced the fixes in a blog post in December, thanking Google for the help.

FBI successfully unlocked iPhone 11 Pro Max with GrayKey third party tool

According to the report, FBI investigators in Ohio used the GrayKey hardware box to unlock an iPhone 11 Pro Max.

The ‌iPhone‌ belonged to Baris Ali Koch, who was accused of helping his convicted brother flee the country by providing him with his own ID documents and lying to the police. He has now entered a plea agreement and is awaiting sentencing.

Koch’s lawyer confirmed to Forbes that the ‌iPhone‌ was locked with a passcode when it got in the hands of the FBI and that the code was never revealed to law enforcement, nor was the defendant forced to use his face to unlock the phone via Face ID.

A search warrant filed on Oct. 30 reveals the FBI has in its possession a USB drive containing “GrayKey derived forensic analysis” of the iPhone in question.

While not specified in the Oct. 30 search warrant, the report suggests the FBI successfully deployed GrayKey to gain access to Koch’s iPhone 11 Pro Max.

Produced by startup Grayshift, GrayKey is a portable gray box that has previously been used by law enforcement to crack the passcode on iPhones. Complete details on how the latest GrayKey works are not known, although Apple continually works to fix the kinds of exploits used by such devices.

Department of Homeland Security Urges Users to Update Firefox now

The United States Cybersecurity and Infrastructure Agency (CISA) this week urged customers who are using the Firefox browser to upgrade to version 72.0.1, as there is a major vulnerability that could allow attackers to take control of affected computers.

Mozilla has released security updates to address a vulnerability in Firefox and Firefox ESR.

The Cybersecurity and Infrastructure Security Agency (CISA), part of the Department of Homeland Security encourages users and administrators to review the Mozilla Security Advisory for Firefox 72.0.1 and Firefox ESR 68.4.1 and apply the necessary updates.

The vulnerability was first discovered by Chinese company Qihoo 360 two days after the release of Firefox 72, but there is no word on how long the bug has been exploited nor who used the vulnerability or who might have been targeted. This is the third zero-day vulnerability that Mozilla has addressed within the last year, with the company patching two other major vulnerabilities in June 2019.

To update Firefox, users can open the browser, click on the Firefox menu, then on About Firefox. This will start the update.

International money transfer service Travelex extorted by hackers

Foreign exchange company Travelex was hit by cyber attackers wielding the Sodinokibi (aka REvil) ransomware demanding $6 million (£4.6 million). More than a week later, the company’s websites and online services are still offline despite the company’s remediation efforts.

The ransomware gang known as Sodinokibi — also as REvil — says it has downloaded more than 5GB of sensitive customer data, including dates of birth, credit card information and national insurance numbers, which it will publish if payment is not made within a week. The hackers originally demanded $3 million, but doubled the sum after two days of non-payment.

The attackers claim to have had access to the company’s computer network for the last six months, which allowed them to download customer data.

Following the attack — which took place on New Year’s Eve when many employees were on vacation — the company displayed “planned maintenance” messages on its websites across Europe, Asia and the US in order to “contain the virus and protect data.” That message has since been changed to an official press release in which Travelex says that while “it does not yet have a complete picture of all the data that has been encrypted, there is still no evidence to date that any data has been exfiltrated.”

“Having completed the containment stage of its remediation process, detailed forensic analysis is fully underway and the company is now also working towards recovery of all systems. To date Travelex has been able to restore a number of internal systems, which are operating normally.”

The UK Information Commissioner’s Office (ICO) has yet to receive a data breach report from the company and neither have the customers who ordered currency from Travelex before the attack and paid for it, but are unable to collect it.

 

 

 

Apple, Amazon, Google, and Zigbee Alliance, working on open standard for Smart Home Devices

Apple, Amazon, Google, and the Zigbee Alliance announced a new working group that plans to develop and promote the adoption of a new IP-based connectivity standard for smart home products, with a focus on increased compatibility, security, and simplified development for manufacturers.

Zigbee Alliance board member companies such as IKEA, Legrand, NXP Semiconductors, Resideo, SmartThings, Schneider Electric, Signify, Silicon Labs, Somfy, and Wulian are also onboard to join the working group and contribute to the project.

The industry working group will take an open-source approach for the development and implementation of a new, unified connectivity protocol.

The Project aims to make it easier for device manufacturers to build devices that are compatible with smart home and voice services such as Siri, Alexa, Google Assistant, and others by defining a specific set of IP-based networking technologies for device certification.

The project will be based on four existing proprietary standards, such as Apple’s HomeKit, Google’s Weave and Thread, Amazon’s Alexa Smart Home and Zigbee Alliance’s Dotdot data models.

The new connectivity standard will be open source and royalty free, with code to be maintained on GitHub. The working group has a goal to release a draft specification and a preliminary reference implementation in late 2020.


Google’s bug bounty program will cover all popular Android apps

The Google Play Security Rewards program will extend to any app in the Google Play Store that has more than 100 million installations.

The Google Play Security Reward program is a reward for developers who discover issues in apps on the Google Play Store. Previously, the program covered only
a set list of eight top-level apps, but now it will be extended to any app installed more than 100 million times in the Google Play Store.

If developers discover and disclose a vulnerability in an app to Google, Google will be offered a reward of up to $20,000.

A Google spokesperson said: “This opens the door for security researchers to help hundreds of organizations identify and fix vulnerabilities in their apps.”

In addition, Google is launching a Developer Data Protection Reward Program to address “data abuse issues” in Android apps, OAuth projects and Chrome extensions.

This means the apps that use or sell user data without their consent will be removed from the Google Play Store or Chrome Online Store if they are reported to have misused user data, and Google will reward the reporter for up to $50,000.

Apple vastly expands bug bounty program covers all operating systems, payouts up to $1M

Apple has confirmed at the Black Hat conference,  the bug bounty system has been expanded to cover Apple’s other operating systems.

Before that, Apple has restricted its bug bounty program to iOS and limited those who can participate in it. One of the first big changes announced today by Apple’s head of security engineering and architecture Ivan Krstic, is that the program will be opening up to include all of Apple’s platforms, even macOS and watchOS.

Going further, the expanded program will be open to all security researchers come this fall and Apple also shared a list of some of the new payouts which will go up to $1 million. The original iOS bounty program maxed out at a $200,000 payout.

During the conference, Apple provided a list of maximum possible payouts for finding issues, scaling with the difficulty of the attack.

  • Bounties for finding bugs that allow Lock screen bypass or unauthorized access to iCloud pay out $100,000.
  • Discovering vulnerabilities that could allow an attack via a user-installed app or network attacks pay up to $250k, while uncovering bugs that would allow network attacks with no user interaction pay up to $1 million.
  • That top payout is reserved for discovering a zero-click kernel code execution with persistence.
  • Furthermore, if a researcher finds a vulnerability in a pre-release beta build that is reported to Apple ahead of its public release, they stand to earn a bonus of up to 50% on top.

Apple also detailed its new iOS Security Research Device program. It will be launching next year and will also be open to all, as long as applicants have a “track record of high-quality systems security research…”

This is will be set up with permissions to provide more access to the inner workings of iOS, a move which could help increase the number of issues caught before they appear in beta or public-release software.

Latest Mac malware OSX/CrescentCore hides from security software

The latest Mac malware OSX/CrescentCore  trying to avoid detection by security researchers, according to security company Intego.

The company  says it has found CrescentCore on multiple websites, including one claiming to offer free downloads of new comic books.

Dubbed “CrescentCore,” the malware comes as it usually does —in the form of a DMG file pretending to be an Adobe Flash Player installer. If a user opens the .dmg disk image and opens the Player app, the malware will first check to see whether it is running inside a virtual machine.

The malware also checks to see whether any popular Mac antivirus programs are installed. If the malware determines that it’s running within a VM environment or with anti-malware software present, it will simply exit and not proceed to do anything further.

If there’s nothing in the way one version will install “LaunchAgent,” described as a “persistent infection,” while another will install either “Advanced Mac Cleaner” or a Safari extension.

“Nobody should be installing Flash Player in 2019—not even the real, legitimate one. Nearly all sites have stopped relying on Flash, as Adobe is discontinuing it; the company plans to no longer release security updates for Flash after 2020.” Intego commented.

CrescentCore is signed with multiple developer IDs registered to a “Sanela Lovic,” which Apple has already disabled. Intego’s own antivirus software is already scrubbing the code.

Flipboard discloses breach that gave hackers access to user data

Magazine-style news service Flipboard has revealed that hackers gained access to user passwords several times over the last nine months.

Between June 2, 2018 and April 22 this year databases were hit by “unauthorized access,” Flipboard said in an email to customers. The hackers may have “potentially” stolen information such as names, email addresses, and passwords, although the passwords were reportedly salted and hashed rather than saved in plain text.

The hacks exposed a variety of information connected to Flipboard user accounts, with the intruder able to access usernames, passwords, email addresses, and tokens used for connecting to third-party social networks such as Twitter. The passwords were protected using “salted hashing,” so long as they had been updated since March of 2012. Passwords from March 2012 and earlier were hashed with a weaker SHA-1 function.

As for the third-party account tokens, Flipboard says that it has “not found any evidence the unauthorized person accessed third-party account(s) connected to users’ Flipboard accounts.”

The company didn’t say how many people may have been impacted. As a safeguard however it’s notifying police, deleting any third-party tokens, and resetting all passwords, which may suggest widescale impact.